Organizations urged to act fast after GitHub Action supply chain attack

News
By published

The GitHub Action incident has enterprises scrambling to protect secrets

Github logo on a laptop computer arranged in the Brooklyn borough of New York, US, on Friday, March 31, 2023
(Image credit: Getty Images)

More than 20,000 organizations may be at risk following a supply chain attack affecting tj-actions/changed-files GitHub Action.

GitHub Actions is a continuous integration and continuous delivery (CI/CD) service that enables developers to automate software builds and tests. Workflows are triggered by specific events, for example when new code is committed to the repository.

Used in more than 23,000 repositories, tj-actions/changed-files is a GitHub Action to retrieve all files and directories.

On Friday, a malicious commit in the Action was discovered by researchers at StepSecurity, whereby attackers modified its code and retroactively updated multiple version tags to reference the malicious commit.

"The compromised Action prints CI/CD secrets in GitHub Actions build logs," warned StepSecurity.

"If the workflow logs are publicly accessible (such as in public repositories), anyone could potentially read these logs and obtain exposed secrets. There is no evidence that the leaked secrets were exfiltrated to any remote network destination."

As a result, the compromised Action now executes a malicious Python script that dumps CI/CD secrets, impacting thousands of CI pipelines.

"This CVE impacts public GitHub repositories with GitHub Actions enabled. All versions were impacted," said Dimitri Stiliadis, CTO and co-founder of Endor Labs.

"For organizations that build software, they will likely need to reconfigure their pipelines if they are using the compromised Action. The attack shouldn’t generally cause outages for customers, but it could block organizations from making other changes."

Attackers may now attempt to compromise the software supply chain for other open source libraries, binaries, and artifacts created with the Action, researchers warned, potentially impacting thousands of open source packages.

"We have no evidence that any downstream open source library or containers has been impacted at this time. But we urge open source maintainers and the security community to join us in keeping a close eye out for potential secondary compromises," said Stiliadis.

"GitHub has removed the Action, and users must find alternative implementations. This means that CI pipelines using the compromised Action could crash unless you are using a cached version."

How to check for GitHub Action anomalies

StepSecurity advised users of any version of the tj-actions/changed-files Action to stop using it immediately until the incident is resolved.

It's released a free, secure, and drop-in replacement - step-security/changed-files - and recommended updating all instances of j-actions/changed-files in their workflows to this instead.

Users should also perform a code search across their repositories to discover all instances of the tj-actions/changed-files Action.

Reviews of GitHub Actions workflow run logs are also advised to uncover any recent executions of the Action. If any are discovered, they should be rotated immediately.

RELATED WHITEPAPER

Whitepaper cover of female worker wearing a cap backwards, surrounded by pallets, pulling sticky labels

(Image credit: ServiceNow)

Drive operations performance across the enterprise

"The focus now has to be on what’s next. How long will it take the thousands of open source GitHub repos affected to take the proper security measures and revoke/change secrets?" commented Stiliadis.

"What can happen in the meantime is the damage can range from nothing to catastrophic scenarios, depending on who the attacker was and why they did it."

MORE FROM ITPRO

TOPICS
Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

More about security
A CGI render of a warning symbol representing malware, sitting on an abstract computer surface. Decorative: the warning sign is glowing red and there is blue and yellow diffused light throughout.

What is an APT and how are they tracked?
A hand on a keyboard in a dark room

Alleged LockBit developer extradited to the US
Oracle

UK cloud infrastructure set for boost amid $5 billion Oracle investment
See more latest
Most Popular
Oracle
UK cloud infrastructure set for boost amid $5 billion Oracle investment
Cisco logo and branding pictured at the Mobile World Congress in Barcelona, 2023.
Cisco unveils new agentic AI tools to improve customer and employee experience
Thomas Kurian, CEO at Google Cloud, sat next to Demis Hassabis, CEO at Google DeepMind, Mark Read, CEO at WPP, and Allison Kirkby, CEO at BT Group, at the Gemini for the United Kingdom live event held at the Google DeepMind HQ in London.
Google Cloud announces UK data residency for agentic AI services
A hand on a keyboard in a dark room
Alleged LockBit developer extradited to the US
Female job candidate with short hair participating in a video call interview while using AI tools on small tablet device out of view of the recruiter.
‘If you want to look like a flesh-bound chatbot, then by all means use an AI teleprompter’: Amazon banned candidates from using AI tools during interviews – here’s why you should never use them to secure a job
Jeremy Fleming, former head of GCHQ, onstage with Haider Pasha, chief security officer, EMEA &amp; LATAM at Palo Alto Networks at Ignite London 2025.
Businesses must get better at sharing cyber information, urges former GCHQ chief
A Dell Inspiron 14 AI PC pictured inside a Best Buy store on Black Friday in Pinole.
AI PCs are becoming a no-brainer for IT decision makers
Wifi symbol, internet connection, business, global communication, mobile network, 5g, mobile phone
94% of Wi-Fi networks are vulnerable to deauthentication attacks
UK Prime Minister Keir Starmer speaking during a Q&amp;A session after delivering a speech on plans to reform the civil service, during a visit to Reckitt Benckiser Health Care UK.
Starmer bets big on AI to unlock public sector savings
Ransomware concept image showing digitized padlock pictured on a laptop screen on red background
February was the worst month on record for ransomware attacks – and one threat group had a field day