As first reported by StepSecurity, attackers added a malicious commit to the tool on March 14, 2025, at 4:00 PM UTC, that dumped CI/CD secrets from the Runner Worker process to the repository of any projects using the action. As a result, if workflow logs were publicly accessible, anyone could read and steal exposed secrets. "The compromised action injected malicious code into any CI workflows using it, dumping the CI runner memory containing the workflow secrets," explains Wiz in a write-up on the incident. On March 15, 2:00 PM UTC, GitHub removed the compromised action, and at 10:00 PM UTC on the same day, the repository was restored with the malicious code having been removed. A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs. Attackers modified the action's code and retroactively updated multiple version tags to reference a malicious commit, so all versions of the tool were compromised. To prevent secrets from being exposed to similar compromises in the future, it is GitHub recommends that all GitHub Actions be pinged to specific commit hashes instead of version tags. It allows developers to identify files changed in a pull request or commit and take actions based on those changes, generally used in testing, workflow triggering, and automated code linting and validation. As per the latest update by the developers, the attacker compromised a GitHub personal access token (PAT) used by a bot (@tj-actions-bot), which had privileged access to the tool's repository.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 17 Mar 2025 15:25:06 +0000