Source URL: https://www.theregister.com/2025/03/17/supply_chain_attack_github/
Source: The Register
Title: GitHub supply chain attack spills secrets from 23,000 projects
Feedly Summary: Large organizations among those cleaning up the mess
It’s not such a happy Monday for defenders wiping the sleep from their eyes only to deal with the latest supply chain attack.…
AI Summary and Description: Yes
**Summary:** The disclosure of a supply chain attack affecting the tj-actions/changed-files GitHub Action highlights critical vulnerabilities in popular open-source automation tools. This incident underscores the importance of securing developer workflows to protect against the exposure of sensitive information in build logs.
**Detailed Description:**
The supply chain attack on tj-actions/changed-files, a widely utilized GitHub Action designed to detect file changes in open-source projects, has raised significant concerns within the security community. This incident serves as a stark reminder of the vulnerabilities present within software development frameworks and the potential consequences of their exploitation.
Key Points:
– **Compromise Details**:
– The GitHub Action was compromised prior to March 14, 2023, with attackers injecting malicious code that leaked sensitive developer workflow secrets.
– Attackers modified the action to incorporate a Node.js function that executed a Python script capable of exposing continuous integration/continuous delivery (CI/CD) secrets.
– **Types of Exposed Secrets**:
– Exfiltrated secrets can include API keys, passwords, and access tokens, with the risk to private repositories believed to be lower.
– Public repositories, however, are exposed directly to potential attackers.
– **Security Measures Implemented Post-Attack**:
– The tj-actions team updated the compromised bot account’s password, transitioned to passkeys for enhanced security, and restricted permissions to a minimum necessary level.
– They also revoked the affected Personal Access Token (PAT) and implemented a policy to avoid future use of PATs in their projects.
– **Recommendations for Developers**:
– Project maintainers are advised to audit their repositories for exposure and rotate all secrets stored within any projects utilizing tj-actions/changed-files.
– It is recommended to find alternative actions and eliminate any references to this compromised GitHub Action in all branches.
– **Future Prevention Strategies**:
– GitHub recommends developers pin actions to specific commit hashes rather than version tags to safeguard against similar future attacks.
– Pinning actions to a commit SHA is reinforced as a method to ensure the action remains immutable and less susceptible to backdoor integrations by malicious actors.
– **Vulnerability Assignment**:
– The compromise has been assigned a vulnerability identifier, CVE-2025-30066, rated at a high severity level (8.6).
This incident highlights the critical need for robust security practices within DevSecOps environments and the importance of maintaining vigilance against potential supply chain threats in the development lifecycle.