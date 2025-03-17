More than 20,000 organizations may be at risk following a supply chain attack affecting tj-actions/changed-files GitHub Action.

GitHub Actions is a continuous integration and continuous delivery (CI/CD) service that enables developers to automate software builds and tests. Workflows are triggered by specific events, for example when new code is committed to the repository.

Used in more than 23,000 repositories, tj-actions/changed-files is a GitHub Action to retrieve all files and directories.

On Friday, a malicious commit in the Action was discovered by researchers at StepSecurity, whereby attackers modified its code and retroactively updated multiple version tags to reference the malicious commit.

"The compromised Action prints CI/CD secrets in GitHub Actions build logs," warned StepSecurity.

"If the workflow logs are publicly accessible (such as in public repositories), anyone could potentially read these logs and obtain exposed secrets. There is no evidence that the leaked secrets were exfiltrated to any remote network destination."

As a result, the compromised Action now executes a malicious Python script that dumps CI/CD secrets, impacting thousands of CI pipelines.

"This CVE impacts public GitHub repositories with GitHub Actions enabled. All versions were impacted," said Dimitri Stiliadis, CTO and co-founder of Endor Labs.

"For organizations that build software, they will likely need to reconfigure their pipelines if they are using the compromised Action. The attack shouldn’t generally cause outages for customers, but it could block organizations from making other changes."

Attackers may now attempt to compromise the software supply chain for other open source libraries, binaries, and artifacts created with the Action, researchers warned, potentially impacting thousands of open source packages.

"We have no evidence that any downstream open source library or containers has been impacted at this time. But we urge open source maintainers and the security community to join us in keeping a close eye out for potential secondary compromises," said Stiliadis.

"GitHub has removed the Action, and users must find alternative implementations. This means that CI pipelines using the compromised Action could crash unless you are using a cached version."

How to check for GitHub Action anomalies

StepSecurity advised users of any version of the tj-actions/changed-files Action to stop using it immediately until the incident is resolved.

It's released a free, secure, and drop-in replacement - step-security/changed-files - and recommended updating all instances of j-actions/changed-files in their workflows to this instead.

Users should also perform a code search across their repositories to discover all instances of the tj-actions/changed-files Action.

Reviews of GitHub Actions workflow run logs are also advised to uncover any recent executions of the Action. If any are discovered, they should be rotated immediately.

"The focus now has to be on what’s next. How long will it take the thousands of open source GitHub repos affected to take the proper security measures and revoke/change secrets?" commented Stiliadis.

"What can happen in the meantime is the damage can range from nothing to catastrophic scenarios, depending on who the attacker was and why they did it."