VulnHub

Real-time Cybersecurity News

GitHub Actions workflow compromised to steal CI/CD credentials

SCM feed for Latest
Actively Exploited

Overview

A recent cybersecurity incident has revealed that attackers compromised GitHub Actions workflows to steal Continuous Integration/Continuous Deployment (CI/CD) credentials. The attackers used a tactic known as 'imposter commit,' which involved changing all existing tags in the repository to redirect them to a malicious commit. This manipulation allowed the attackers to gain unauthorized access to sensitive credentials that could be used to deploy malicious code or access private systems. Developers and organizations using GitHub Actions should be particularly vigilant, as this incident could expose them to further attacks if their credentials are misused. It emphasizes the need for stricter security measures around CI/CD pipelines to prevent similar compromises in the future.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: GitHub Actions, CI/CD credentials
  • Action Required: Implement stricter access controls, review and rotate CI/CD credentials, and monitor for unauthorized changes in repositories.
  • Timeline: Newly disclosed

Original Article Summary

The attack involves an "imposter commit" strategy where all existing tags in the repository were altered to point to a malicious commit.

Impact

GitHub Actions, CI/CD credentials

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Newly disclosed

Remediation

Implement stricter access controls, review and rotate CI/CD credentials, and monitor for unauthorized changes in repositories.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Read Original Article

Related Coverage

Attackers hit vulnerabilities hard last year, making exploits the top entry point for breaches

CyberScoop

A recent report from Verizon revealed a significant rise in the number of security breaches caused by exploited vulnerabilities last year. Many organizations are failing to address these critical defects, leaving their systems open to attacks. The report emphasizes that these vulnerabilities have become the primary entry point for cybercriminals, meaning that companies need to prioritize patching and updates to protect their systems. This trend points to a concerning oversight in cybersecurity practices across various industries, where outdated software and unaddressed vulnerabilities can lead to severe data breaches and financial loss. As attackers continue to exploit these weaknesses, the urgency for organizations to strengthen their security measures has never been greater.

May 19, 2026

Discord rolls out end-to-end encryption on voice, video calls

BleepingComputer

Discord has implemented end-to-end encryption (E2EE) for all voice and video calls on its platform, ensuring that communications are secure by default. This means that only the participants in a call can access the audio and video data, protecting users from potential eavesdropping. This move is particularly significant as the platform has grown in popularity for gaming and community interaction, making privacy a key concern for its users. By adopting E2EE, Discord aims to enhance user trust and protect sensitive conversations from unauthorized access. This change is now live for all users, emphasizing the importance of secure communication in online interactions.

May 19, 2026

CISA Exposes Secrets, Credentials in 'Private' Repo

darkreading

The Cybersecurity and Infrastructure Security Agency (CISA) has come under scrutiny after its GitHub repository, humorously titled 'Private-CISA', was made publicly accessible in November 2025. This repository contained sensitive information, including secrets and credentials that should have remained confidential. The irony of the repository's name has drawn attention, as it raises questions about the agency's security practices. This incident is concerning as it could potentially expose various systems to unauthorized access, increasing the risk of cyberattacks. The exposure of such sensitive data not only affects CISA's credibility but also impacts the security posture of the organizations relying on its guidance.

May 19, 2026

FBI: Americans lost over $388 million to scams using crypto ATMs in 2025

BleepingComputer

In 2025, the FBI reported that Americans lost over $388 million to scams involving cryptocurrency ATMs, also known as crypto kiosks or Bitcoin ATMs. These scams typically involve fraudsters tricking victims into sending money to them through these machines, often under the guise of legitimate transactions. The rise in these scams highlights a growing concern as more people turn to cryptocurrency for transactions. The FBI's warning emphasizes the need for users to be cautious and verify any transaction before proceeding, especially given the irreversible nature of cryptocurrency transactions. This situation not only affects individual victims but also raises questions about the security measures in place at these ATMs and the responsibility of operators to protect users.

May 19, 2026

Universal Robots patches critical 9.8 flaw in ‘cobots’ OS

SCM feed for Latest

Universal Robots has addressed a serious security vulnerability in its collaborative robots, or 'cobots,' which could allow attackers to take control of production systems from a distance. The flaw has been rated 9.8 on the CVSS scale, indicating its severity and potential impact on operations. Companies using these cobots need to ensure they apply the latest patches to protect their systems. If left unaddressed, this vulnerability could disrupt manufacturing processes and lead to significant financial losses. Users should stay informed about updates to minimize risks associated with this flaw.

May 19, 2026

Drupal to Patch Highly Critical Vulnerability at Risk of Quick Exploitation

SecurityWeek

Drupal has announced a highly critical vulnerability that poses a significant risk of exploitation in the near future. The organization warns that attackers could develop an exploit for this vulnerability within hours or days, putting numerous sites at risk. This issue affects users of Drupal, a popular content management system used by many websites globally. The urgency of the situation stems from the potential for rapid attacks, which could compromise site security and user data. As a result, Drupal is working on a patch to address the vulnerability, emphasizing the need for users to stay vigilant and apply updates as soon as they become available.

May 19, 2026