GitHub Supply Chain Chaos: Popular Action Tool Compromised, Secrets Exposed!
A supply chain attack on the popular ‘tj-actions/changed-files’ GitHub Action allowed threat actors to potentially steal CI/CD secrets from 23,000 repositories. While the malicious code didn’t send data to a remote server, secrets were exposed in public logs. GitHub has since removed the compromised action and provided guidance for affected users.
Hot Take:
Who knew GitHub could be a secret agent’s paradise? With the ‘tj-actions/changed-files’ GitHub Action getting hijacked, it’s a reminder that even in the world of automation, there’s always a plot twist waiting to unravel. Who needs a spy thriller when you have CI/CD secrets flying around like confetti? It’s all fun and games until your secrets are laid bare like a streaker at a sports event.
Key Points:
- Supply chain attack on ‘tj-actions/changed-files’ GitHub Action, affecting 23,000 repositories.
- Malicious commit added on March 14, 2025; secrets exposed in public workflow logs.
- GitHub removed the compromised action and restored the repository on March 15, 2025.
- Attackers used compromised GitHub personal access token (PAT) by @tj-actions-bot.
- GitHub recommends pinning actions to commit hashes and using allow-listing for security.
Already a member? Log in here