Summary: A supply chain attack on the popular ‘tj-actions/changed-files’ GitHub Action led to the potential exposure of CI/CD secrets from 23,000 repositories. Attackers injected malicious code into the tool’s repository, compromising the personal access token of a bot with privileged access. GitHub has since removed the malicious version, but users are advised to take immediate actions to secure their workflows and secrets.
Affected: tj-actions GitHub Action
Keypoints :
- Attackers added malicious code to the ‘tj-actions/changed-files’ GitHub Action on March 14, 2025.
- The compromised action made CI/CD secrets visible in publicly accessible repositories, requiring affected users to rotate secrets used during the attack timeframe.
- GitHub recommends tagging actions to specific commits and utilizing allow-listing to enhance future security.