oss-sec mailing list archives

Re: tj-action/changed-files GitHub action was compromised

From: Mark Esler <mark.esler () chainguard dev>
Date: Tue, 18 Mar 2025 17:18:49 -0700

Evan (CC'd) wrote tooling to detect tj-actions/changed-files compromises over
the weekend.

tj-scan is now public and aims to help others review logs from their private
and public repos for leaked credentials.

https://github.com/chainguard-dev/tj-scan

Mark


On Sat, Mar 15, 2025 at 12:03 PM Mark Esler <mark.esler () chainguard dev> wrote:


On March 14 2025 at 16:57:45 UTC the tj-action/changed-files GitHub action was
compromised with commit 0e58ed8 ("chore(deps): lock file maintenance (#2460)").
This commit was added to all 361 tagged versions of the GitHub action. This
malicious commit results in a script that can leak CI/CD secrets from runner
memory.

The compromised action has been removed from GitHub.

We are discovering open source projects which are using the compromised action.

StepSecurity [0] and Semgrep [1] posted early analysis.

Cheers,
Mark

[0] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
[1] https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/

Current thread:

tj-action/changed-files GitHub action was compromised Mark Esler (Mar 15)
- Re: tj-action/changed-files GitHub action was compromised Mark Esler (Mar 18)
- Re: tj-action/changed-files GitHub action was compromised Jacob Bachmeyer (Mar 18)