GitHub Action Compromise: tj-actions/changed-files Injecting Malicious Code
2025-03-15
A critical security incident has compromised the tj-actions/changed-files GitHub Action, impacting over 23,000 repositories. Attackers retroactively modified multiple version tags to point to a malicious commit, exposing CI/CD secrets in public build logs. StepSecurity Harden-Runner detected this anomaly. The compromised Action executes a malicious Python script that dumps secrets from the Runner Worker process. Immediate action is required: stop using the affected Action and review build logs for leaked secrets.
Development
Malicious Code