What Happened?

On March 14, 2025, attackers compromised the popular GitHub Action tj-actions/changed-files, injecting malicious code to expose sensitive CI/CD secrets within workflow logs. This supply chain attack affected a total of 218 repositories, posing significant security risks despite its relatively limited scope.

‍

Attack Methodology

• Attackers leveraged a compromised GitHub Personal Access Token (PAT) from a separate supply chain attack on the GitHub Action reviewdog/action-setup@v1.
• Malicious code introduced into tj-actions/changed-files dumped CI/CD secrets (GitHub tokens, DockerHub credentials, npm tokens, AWS credentials) into publicly accessible workflow logs.
• Many compromised repositories inadvertently exposed secrets because workflow logs were configured to be publicly accessible.

‍

Impact

• 218 repositories across multiple organizations publicly exposed sensitive secrets.
• Short-lived GitHub tokens had limited exploitation potential due to quick expiration but other credentials (DockerHub, npm, AWS) posed serious and lasting security risks.
• Potential for further downstream supply chain attacks due to compromised popular repositories.

‍

Recommended Actions

• Immediate Credential Rotation: Rotate any secrets exposed by the affected GitHub Actions immediately, especially high-risk credentials (DockerHub, npm, AWS).
• Log Security: Ensure workflow logs are not publicly accessible and monitor logs for suspicious activity or unauthorized access.
• Pin GitHub Actions: Use commit SHA hashes rather than mutable tags for referencing GitHub Actions to prevent future supply chain attacks.
• Dependency Review: Regularly audit GitHub Actions dependencies and enable automated tools like Dependabot to identify and update vulnerable components promptly.
• Security Best Practices: Review and implement GitHub’s recommended security hardening measures for Actions workflows.

‍

References