oss-sec mailing list archives

tj-action/changed-files GitHub action was compromised

From: Mark Esler <mark.esler () chainguard dev>
Date: Sat, 15 Mar 2025 12:03:47 -0700

On March 14 2025 at 16:57:45 UTC the tj-action/changed-files GitHub action was
compromised with commit 0e58ed8 ("chore(deps): lock file maintenance (#2460)").
This commit was added to all 361 tagged versions of the GitHub action. This
malicious commit results in a script that can leak CI/CD secrets from runner
memory.

The compromised action has been removed from GitHub.

We are discovering open source projects which are using the compromised action.

StepSecurity [0] and Semgrep [1] posted early analysis.

Cheers,
Mark

[0] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
[1] https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/

Current thread:

tj-action/changed-files GitHub action was compromised Mark Esler (Mar 15)
- Re: tj-action/changed-files GitHub action was compromised Mark Esler (Mar 18)
- Re: tj-action/changed-files GitHub action was compromised Jacob Bachmeyer (Mar 18)