Published on: 2025-03-18

Intelligence Report: GitHub Action tj-actionschanged-files was compromised in supply chain attack – Securityaffairs.com

1. BLUF (Bottom Line Up Front)

A supply chain attack compromised the GitHub Action tj-actionschanged-files, allowing attackers to leak secrets from repositories using continuous integration and delivery (CI/CD) workflows. The attack involved modifying the action’s code to print CI/CD secrets in publicly accessible logs. Immediate actions are required to mitigate further risks, including updating affected repositories and revoking compromised credentials.

2. Detailed Analysis

The following structured analytic techniques have been applied for this analysis:

General Analysis

The attack began on March 8th, with attackers modifying the GitHub Action to execute a malicious Python script. This script extracted CI/CD secrets from runner processes and dumped them into workflow logs. The compromise was discovered by researchers at StepSecurity, who identified the anomaly through network traffic analysis. The attack affected multiple public repositories, with secrets being exfiltrated to an attacker-controlled server. GitHub has since removed the compromised action.

3. Implications and Strategic Risks

The compromise poses significant risks to software supply chains, potentially affecting national security and economic interests due to the exposure of sensitive data. The attack highlights vulnerabilities in CI/CD workflows, which could be exploited in future incidents. Organizations relying on GitHub Actions must reassess their security protocols to prevent similar breaches.

4. Recommendations and Outlook

Recommendations:

• Organizations should immediately update their GitHub Actions and review workflow logs for any unauthorized changes.
• Revoke and regenerate any compromised secrets and personal access tokens stored in GitHub Actions.
• Implement anomaly detection systems to monitor unexpected network traffic and endpoint connections.
• Consider regulatory updates to enforce stricter security measures in CI/CD environments.

Outlook:

In the best-case scenario, organizations swiftly implement security measures, minimizing further risks. In the worst-case scenario, similar attacks could proliferate, leading to widespread data breaches. The most likely outcome involves increased awareness and adoption of security best practices, reducing the likelihood of future incidents.

5. Key Individuals and Entities

The report mentions StepSecurity and Wiz as key entities involved in the discovery and analysis of the attack. GitHub has taken action to remove the compromised component. No specific individuals are named in the report.