Published: · Region: Global · Category: cyber

Popular GitHub And npm Tools Hit By Credential-Stealing Attacks

On 19 May 2026, security researchers reported a supply‑chain compromise of the GitHub Action 'actions-cool/issues-helper' and malicious npm packages tied to the 'atool' maintainer account. The campaigns inject credential‑stealing code into CI/CD pipelines and widely used JavaScript libraries.

Key Takeaways

Early on 19 May 2026, around 04:38–06:14 UTC, security alerts highlighted two significant software supply‑chain attacks targeting core components of the modern development ecosystem. In the first case, a popular GitHub Action named actions-cool/issues-helper was reported compromised. All existing tags for the Action were redirected to a malicious imposter commit, which inserts code intended to steal credentials from GitHub Actions runners.

Because GitHub Actions are used to automate workflows across countless open‑source and corporate projects, a compromise of this nature potentially exposes authentication tokens, secrets, and other sensitive information used in continuous integration and deployment pipelines. Any project that referenced the affected Action by tag rather than by a specific, verified commit hash may have unknowingly executed the attacker’s payload during routine builds or automation tasks.

In a parallel development, security researchers identified a related or at least thematically similar campaign against npm packages tied to the maintainer account "atool." Notably, the popular echarts-for-react package—reportedly with around 1.1 million weekly downloads—was among those modified to include credential‑stealing code. The operation, referred to in reports as "Mini Shai-Hulud," embeds the malicious logic inside developer‑oriented tools, aiming to harvest credentials and potentially gain access to internal systems.

Key actors in these incidents include the unknown threat actors behind the compromises, GitHub and npm as platform providers, and the maintainers whose accounts or repositories were targeted. The attacks appear focused on leveraging trust in widely used development components to propagate into numerous downstream environments.

From a technical standpoint, the pivot to compromising CI/CD infrastructure is particularly concerning. Access to build systems can allow attackers to plant backdoors in software artifacts, manipulate deployment pipelines, or move laterally into cloud and on‑premises environments. Given the scale of usage for both GitHub Actions and npm libraries, even a short window of exposure can affect thousands of organizations.

The broader implications are significant. Software supply‑chain attacks have been rising in prominence, with adversaries recognizing that compromising a few highly trusted components can yield disproportionate access. These latest incidents reinforce the need for stronger authentication for maintainers, routine verification of code integrity, and defence‑in‑depth strategies that assume third‑party components may be compromised.

Organizations using the affected GitHub Action or npm packages must urgently assess their exposure: determining when the malicious versions were introduced, whether their pipelines executed the tainted code, and what secrets or tokens may have been exfiltrated. Incident response teams should treat any exposed credentials as compromised and rotate them immediately, while monitoring for anomalous access patterns.

Outlook & Way Forward

In the coming days, GitHub, npm, and upstream maintainers are likely to issue formal advisories, revoke compromised tokens, and remove or quarantine malicious versions. Security vendors and incident response firms will publish indicators of compromise and detection signatures, helping organizations identify whether they have been affected.

Longer‑term, the incidents will increase pressure on ecosystem providers to implement more robust safeguards: enforced multi‑factor authentication for maintainers, signed releases with verifiable provenance, and better monitoring for anomalous changes to popular projects. Development teams will face growing expectations to pin dependencies to specific hashes, adopt software bills of materials (SBOMs), and integrate supply‑chain security tools into their pipelines.

Strategically, these attacks illustrate that adversaries—whether criminal or state‑linked—see the development toolchain as prime terrain. Policymakers and industry leaders should anticipate more such operations and invest in collaborative defences, including threat intelligence sharing focused specifically on software supply chains. Organizations that move quickly to assess and remediate their exposure to the actions-cool/issues-helper and atool/echarts-for-react compromises will not only reduce immediate risk but also strengthen their resilience against the next wave of similar campaigns.

Sources

Related Coverage

GLOBAL

US Seeks Early Access to AI Models Under New Framework

The US government has asked leading AI labs to provide access to new models up to 90 days before public release under a voluntary framework. The request, disclosed around 19:12 UTC on 20 May 2026, aims to bolster safety evaluations amid growing concern over advanced AI capabilities.
GLOBAL

China and Russia Deepen Strategic Pact, Reject Iran Strikes

During President Vladimir Putin’s 19–20 May 2026 visit to China, Beijing and Moscow signed 42 agreements and joint declarations spanning military, energy, and geopolitical cooperation. By 18:34–19:17 UTC on 20 May, both sides had publicly defended a multipolar order and condemned recent US–Israeli strikes on Iran as illegal.
GLOBAL

US Test-Launches Minuteman III ICBM in Pacific

The United States conducted a test launch of an unarmed Minuteman III intercontinental ballistic missile over the Pacific Ocean region on 20 May 2026. The exercise, carried out earlier in the day in UTC terms, is likely intended to validate nuclear deterrent reliability amid mounting global strategic tension.
WARNING

Iran Tightens Hormuz Control as NATO Downs Ukrainian Drone Over Estonia

At around 19:58–20:02 UTC, Iran announced a new 'Persian Gulf Strait Authority' and declared that all transit through the Strait of Hormuz now requires its coordination and authorization, deepening an ongoing U.S.–Iran tanker blockade standoff. Separately, at about 19:08 UTC, a NATO fighter for the first time shot down a Ukrainian drone over Estonia that was reportedly using Estonian airspace to strike Russia. Together these moves raise geopolitical and market risk around global energy flows and NATO–Russia escalation.
WARNING

Iran Formalizes Hormuz Transit Controls, Raising Oil Risk Premium

Iran has announced a new 'Persian Gulf Strait Authority' that declares all transit through the Strait of Hormuz must be coordinated and authorized. Coming amid an existing U.S.-enforced blockade on Iranian oil tankers, this formalizes Tehran’s claim of regulatory control and heightens the risk of friction with Western navies and commercial shippers.
WARNING

Iran Tightens Hormuz Control as U.S. Indicts Raúl Castro

Around 20:02 UTC on 20 May 2026, Iran’s new Persian Gulf Strait Authority declared that all transit through the Strait of Hormuz now requires Iranian coordination and authorization, formalizing a regulatory lever amid an ongoing U.S. naval enforcement operation against Iranian oil. Earlier, at about 19:05–19:10 UTC, the U.S. Department of Justice announced an indictment of former Cuban leader Raúl Castro over the 1996 killing of four U.S. citizens. Together, these moves harden U.S. confrontation with Tehran and Havana, with immediate implications for energy security and regional stability.