Hacker News: Tj-actions/changed-files GitHub Action Compromised – used by over 23K repos

Mar 15, 2025

—

Source URL: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
Source: Hacker News
Title: Tj-actions/changed-files GitHub Action Compromised – used by over 23K repos

Feedly Summary: Comments

AI Summary and Description: Yes

Summary: A critical security incident has been identified involving the tj-actions/changed-files GitHub Action, which has been compromised to leak sensitive CI/CD secrets. This incident underscores the urgency for security and compliance professionals to audit their GitHub Actions and take immediate recovery steps to secure their repositories.

Detailed Description: The tj-actions/changed-files GitHub Action, utilized in over 23,000 repositories, has been compromised, leading to the potential exposure of CI/CD secrets in publicly accessible build logs. This incident highlights significant vulnerabilities within CI/CD processes, particularly regarding third-party actions in GitHub.

Key Points:
* **Compromise Overview**: Attackers modified the action’s code and retroactively updated its version tags to point to a malicious commit, compromising the integrity of the action.
* **Exposed Secrets**: CI/CD secrets are being printed in GitHub Actions build logs. Since these logs are public, anyone can access them and potentially steal sensitive information.
* **Detection Method**: StepSecurity’s Harden-Runner platform detected the anomaly via unexpected network traffic linked to the modified action.
* **Malicious Script**: A malicious Python script was introduced that scrapes sensitive data from the GitHub Actions runner process.
* **Recovery Recommendations**:
– Stop using any version of the tj-actions/changed-files Action immediately.
– Conduct a thorough search for instances of this action in repositories.
– Review recent execution logs to identify potential secret leaks.
– Monitor network traffic for calls to known malicious endpoints.
* **Security Measures**: The Harden-Runner solution provides security for CI/CD workflows by controlling network access and monitoring activities, making it critical in responding to and mitigating such incidents.
* **Consulting Support**: A support channel is available for users needing help in investigating the issue.

This incident emphasizes the importance of integrating robust security measures within CI/CD pipelines, particularly when using third-party resources. Compliance professionals should advocate for continuous monitoring and the implementation of security best practices to safeguard sensitive information against similar future exploits.

2 3 a access Act actions AI and Arch art as attack attackers audit being Best best practices by C CI/CD code compliance compliance professionals compromised consulting support continuous monitoring control core critical D data de detection e end endpoint endpoints execution exp exploit exploits for future g Gen git GitHub GitHub Action GitHub Actions gs H hack hacker Hacker News high Highlight http HTTPS implementation in incident information integrity J k Key l led Li Link linked logs low making malicious script media Mila ModI Monitor monitoring N network network access network traffic news no o of on one over party party actions Pipeline pipelines platform point potential process processes professionals public Py Python Python script R RCE recommendations recovery recovery recommendations resource resources Ro robust security s safe search sec secrets secure security security and compliance security best practices security incident security measure security measures sensitive data sensitive information Sig Sim source SSE STIG T the third third-party third-party actions to Tor Tor network TP traffic two UI up update US use user Users V version vulnerabilities Wi workflow workflows x