Summary: A cascading supply chain attack initiated by the compromise of the “reviewdog/action-setup@v1” GitHub Action has led to the exposure of CI/CD secrets in the “tj-actions/changed-files” repository across 23,000 projects. The attackers injected malicious code that captured personal access tokens via compromised GitHub Actions. Although the root cause of the breach is still under investigation, developers are urged to take immediate actions to mitigate risks.
Affected: tj-actions, reviewdog
Keypoints :
- The initial breach involves “reviewdog/action-setup@v1,” which allowed attackers to inject code that leaked CI/CD secrets through workflow logs.
- Upon discovery, affected developers are advised to check for compromised payloads in their repositories and rotate potentially exposed secrets.
- To enhance security, it is recommended to pin GitHub Actions to specific commit hashes and limit actions through GitHub’s allow-listing feature.