Summary: The video discusses the compromise of a major GitHub action, TJ action/changed files, which was found to be used in over 23,000 repositories. The compromised action revealed CI/CD secrets in build logs when exposed, leading to a supply chain attack over two days in March. The incident was traced back to a compromised personal access token that allowed adversaries to make malicious changes to the project’s code.

Keypoints:

• A major GitHub action, TJ action/changed files, was compromised.
• The team at Step Security uncovered and reported the issue.
• This action was utilized in over 23,000 repositories at the time of the incident.
• The compromise published CI/CD secrets in build logs that could be publicly accessed.
• The attack occurred over a period of two days, on March 14th and 15th, and was later mitigated.
• Adversaries compromised a personal access token linked to a bot account used by the project.
• The method of the token’s compromise remains unknown.
• Using the token, attackers made a malicious commit and altered the action release tags.
• The attack was hidden via Base64 encoding, which was later decoded to reveal its malicious intent.
• It is advised for users of the TJ actions change files GitHub action to rotate their secrets immediately.