Description
Bug Description
The popular GitHub Action tj-actions/changed-files has been compromised in a supply chain attack. This action is currently used in our repository workflows, specifically in basic.yml and integration_tests_validation.yaml. According to security reports, the compromised action exfiltrates CI/CD secrets by dumping them from the runner's memory.
Steps to Reproduce
The issue affects all users of tj-actions/changed-files, including installations pinned to specific version tags, as the attacker has retroactively updated multiple version tags to reference the malicious commit.
In our repository, we're using this action in:
.github/workflows/basic.yml- usingtj-actions/changed-files@v41.github/workflows/integration_tests_validation.yaml- usingtj-actions/changed-files@v41
Expectation
The GitHub Action should function as expected without introducing security vulnerabilities or exfiltrating secrets.
System and Setup Info
This affects any CI/CD environment running GitHub Actions with the compromised tj-actions/changed-files action.
Additional Context
Additional Context
According to StepSecurity's report:
The tj-actions/changed-files GitHub Action, which is currently used in over 23,000 repositories, has been compromised. In this attack, the attackers modified the action's code and retroactively updated multiple version tags to reference the malicious commit. The compromised Action prints CI/CD secrets in GitHub Actions build logs. If the workflow logs are publicly accessible (such as in public repositories), anyone could potentially read these logs and obtain exposed secrets.
The compromised Action now executes a malicious Python script that dumps CI/CD secrets from the Runner Worker process. Most of the existing Action release tags have been updated to refer to the malicious commit mentioned below. Note: All these tags now point to the same malicious commit hash:0e58ed8671d6b60d0890c21b07f8835ace038e67, indicating the retroactive compromise of multiple versions.
As reported by roblaszczak on Twitter:
tj-actions/changed-files GitHub action was compromised, and if you are using it, your secrets have been leaked to the attacker. The compromised version has been out for 16 hours already. To make matters worse, removing this action efficiently is pretty hard.
ALL tags are affected, so if you have pinned it by a tag, you are also affected. What makes it worse is that it affects all your branches. So commiting anithing to any branch that uses this action leaks secrets.
Recommended action:
- Immediate fix: Replace the action with a secure alternative or pin to a specific commit hash from before the compromise.
- Audit workflow runs: Check all recent workflow logs for potential secret leakage.
- Rotate secrets: Consider rotating any secrets that may have been exposed in our GitHub Actions workflows.
I'll prepare a PR to fix this vulnerability.