Update: @SocketSecurity's threat intel team noted a possible link between this GitHub Actions attack and the recent AntV npm compromise.
Both share the same exfil domain (t.m-kosche[.]com) and appear tied to the Mini Shai-Hulud activity cluster.
Reminder: Every tag now points to malicious code.
Quick action: Pin workflows to full commit SHA only. Check yours ASAP.