A recent supply chain attack has targeted the widely used ‘tj-actions/changed-files’ GitHub Action, affecting over 23,000 repositories. This compromise has led to the exposure of sensitive CI/CD secrets, including AWS access keys, GitHub personal access tokens, and private RSA keys.
Incident Timeline and Impact
March 14, 2025, 4:00 PM UTC: Attackers introduced a malicious commit into the ‘tj-actions/changed-files’ repository, modifying its code to leak CI/CD secrets from the GitHub Actions runner environment into build logs.
March 15, 2025, 2:00 PM UTC: GitHub removed the compromised action to prevent further exploitation.
March 15, 2025, 10:00 PM UTC: The repository was restored with the malicious code removed.
Repositories that referenced the compromised action by tags (e.g., ‘tj-actions/changed-files@v2’) were immediately affected. Automated tools like Dependabot and Renovate may have also propagated the compromised action by updating even pinned versions to the malicious digest.
Official Statements and Recommendations
Varun Sharma, CEO of StepSecurity, emphasized the necessity for real-time CI/CD security monitoring to detect and prevent such incidents. He stated that this attack underscores the growing risks in software supply chains.
Security experts advise organizations to identify and remove the compromised action from their workflows, rotate exposed secrets, and monitor CI/CD pipelines for unusual activities. They stress treating development pipelines with the same security measures as production environments to mitigate potential risks.