FOCUS MODE
EXTRACT IOC
Threat Research

Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files

Unit42
Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files
A recent compromise of the tj-actions/changed-files GitHub action highlights significant risks in CI/CD pipelines stemming from third-party dependencies. Attackers exploited a vulnerability that allowed unauthorized access to sensitive workflow secrets and data breaches. The incident affected over 23,000 repositories and raised concerns about security in software supply chains. Affected: tj-actions/changed-files, reviewdog organization, GitHub Actions, CI/CD pipelines

Keypoints :

  • The tj-actions/changed-files action was compromised, allowing attackers to access sensitive data.
  • The compromise was first detected on March 14, 2025, with suspicious activity in workflow logs.
  • Attackers injected a payload that exposed CI/CD runner memory data containing sensitive environment variables.
  • The attack utilized a leaked GitHub Personal Access Token (PAT) linked to the @tj-actions-bot account.
  • More than 60 public GitHub actions depend on the tj-actions/changed-files action, amplifying the risk.
  • The issue underscores the vulnerabilities of third-party dependencies in software supply chains.
  • Immediate recommended actions include identifying usage, reviewing logs, rotating secrets, and investigating suspicious activities.
  • Long-term improvements suggest stricter governance over third-party services and pinning GitHub actions to specific commits.

MITRE Techniques :

  • T1071.001: Application Layer Protocol: Web Protocols – Attack executed through unauthorized modifications to the tj-actions/changed-files repository.
  • T1090: Proxy – Attackers leveraged a Personal Access Token (PAT) to execute a malicious commit, masking their presence.
  • T1213: Data from Information Repositories – Malicious code extracted CI/CD secrets from the runner’s memory.
  • T1203: Exploitation for Client Execution – Attackers exploited vulnerabilities in GitHub Actions for unauthorized code execution.

Indicator of Compromise :

  • [SHA-1] 0e58ed8671d6b60d0890c21b07f8835ace038e67

Full Story: https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/

Tags: CREDENTIAL, LEARN, MONITOR, PROXY, CLOUD, PAYLOAD, IMPACT, EXPLOIT