tj-actions/changed-files GitHub Actions Compromise - March 2025
Compromised GitHub Action exposing CI/CD secrets through workflow execution
Incident Intelligence
FikreSekhel Research is tracking this campaign as a software supply chain compromise involving install-time execution paths.
The tj-actions/changed-files GitHub Action was compromised through unauthorized modifications that resulted in workflow secrets being exposed during CI/CD execution. The incident affected thousands of repositories relying on the action.
Attackers modified action references and introduced malicious behavior capable of extracting sensitive environment variables and workflow secrets from GitHub Actions runners. The compromise highlighted the risks associated with mutable tags and third-party CI/CD dependencies.
Affected workflows leaked secrets into build logs and execution environments. Exposed secrets potentially included cloud credentials, deployment tokens and other sensitive CI/CD artifacts.
Organizations relying on compromised workflow executions faced risk of credential theft, unauthorized access to cloud resources, source code repositories and deployment pipelines.
Review historical workflow runs, rotate exposed secrets, revoke compromised tokens, verify GitHub Action references and pin dependencies to immutable commit SHAs.
| Severity | Package | Affected versions | CWE | Exploit maturity | Remediation |
|---|---|---|---|---|---|
| Critical |
tj-actions/changed-files Workflow Secret Exposure via Compromised GitHub Action |
Compromised tags prior to remediation | CWE-506 | Exploited In The Wild | Rotate secrets, review workflow history, pin GitHub Actions to immutable commit SHAs and replace compromised references. |