Listen to this Post
A recent breach involving GitHub Action “tj-actions/changed-files” has raised alarms in the developer community. While the compromise affected a small percentage of repositories, the repercussions are significant. The breach highlights the importance of securing continuous integration/continuous deployment (CI/CD) pipelines and raises critical questions about the vulnerabilities inherent in the supply chain. Here’s a breakdown of the attack, its impact, and essential actions for repository owners.
the Incident
The GitHub Action tj-actions/changed-files was compromised on March 14, 2025, with a malicious commit being added to the project. The attackers exploited a vulnerability in the CI/CD pipeline to dump secrets from the Runner Worker process into the repository. This exposure occurred primarily when workflow logs were set to public access, enabling anyone to read the secrets.
Subsequent investigations suggest that the initial breach stemmed from another supply chain attack targeting the “reviewdog/action-setup@v1” GitHub Action. This earlier attack likely compromised a GitHub personal access token (PAT) used by a bot with the privilege to modify the tj-actions/changed-files repository.
According to data from Endor Labs, while only a small number of repositories were affected, the impact was still significant. Of the 5,416 repositories referencing the compromised GitHub Action, 614 executed the action within the exposed timeframe, and 218 of these repositories exposed secrets to the console log. Some of these exposed repositories had a massive reach, with one repository alone having over 350,000 stars and 63,000 forks.
The exposed secrets included GitHub install access tokens, which expire after 24 hours, limiting the window for exploitation. However, in some cases, credentials for services like DockerHub, npm, and AWS were leaked, posing a higher security risk.
What Undercode Says:
This GitHub supply chain attack is a stark reminder of the vulnerabilities in the tools and systems we trust in software development. While the immediate impact appears limited to a small portion of repositories, the long-term effects could be more far-reaching. Let’s break down the key insights from this incident:
1. Supply Chain Risks Are Real
The attack on tj-actions/changed-files highlights an essential truth in cybersecurity: supply chain vulnerabilities are a serious threat. These types of attacks exploit the very tools and services that developers depend on. While GitHub Actions is a widely trusted tool, this attack shows that even such popular services are susceptible to compromise if an attacker gains control of key repositories or services.
2. The Exploitation Window Was Short But Risky
The attackers relied on the fact that many repositories had their workflow logs set to public access, exposing sensitive information like tokens and credentials. Although most of the exposed secrets were short-lived (such as GitHub install tokens that expire within 24 hours), some of the credentials involved were for more long-lasting services like DockerHub and AWS. This highlights the importance of not just rotating secrets but ensuring that the logs do not contain any sensitive data in the first place.
3. Best Practices Can Mitigate Damage
Interestingly, Endor Labs reports that several repositories were protected from the attack by adhering to best practices such as referencing specific commit SHAs and limiting mutable tags. This demonstrates that even in a compromised situation, following good security practices can drastically reduce the impact. It also underlines the need for the developer community to regularly review and enforce security measures, particularly in CI/CD pipelines.
4. The Attack May Have a Broader Reach
While only 218 repositories were confirmed to have exposed secrets, it’s important to consider the possible ripple effect. Some of the affected repositories had large user bases, and these compromises could lead to further supply chain attacks. This is especially true if those credentials were used in other repositories or services. The community should be on high alert for signs of secondary breaches.
5. Actionable Steps for Developers
GitHub Actions users should review their workflows and ensure that secrets are not exposed in public logs. Best practices, such as using environment variables and encrypted secrets, should always be followed. Additionally, repository owners should rotate any exposed secrets immediately, especially if they relate to high-risk services like AWS or DockerHub.
6. Further Investigation is Needed
There are still many unanswered questions regarding the extent of the initial breach. It is unclear whether the Reviewdog action attack led to further compromises beyond tj-actions/changed-files. Developers should remain vigilant and monitor their repositories for unusual activity.
Fact Checker Results:
- Breach Scope: 218 repositories were confirmed to have exposed secrets, though the number may be larger due to potential ripple effects.
- Exposed Secrets: GitHub tokens were among the most commonly exposed secrets, with other services like DockerHub and AWS also impacted.
- Security Impact: While the exposure window was short, the leaked credentials had the potential for serious security breaches, especially for popular repositories.
This attack emphasizes the importance of secure coding practices and vigilant monitoring to protect against supply chain attacks in the future.
References:
Reported By: https://www.bleepingcomputer.com/news/security/github-action-supply-chain-attack-exposed-secrets-in-218-repos/
Extra Source Hub:
https://www.reddit.com/r/AskReddit
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
