Supply-Chain Attack: tj-actions/changed-files GitHub Action

Incident Report for Rapid Response Status Page

Resolved

Dear Customers,

This Rapid Response campaign is now concluded.

1. AXON reports are now available for AXON customers and can be found in the Hunters portal.

2. A blog post that highlights the key elements of the attack flow, with a focus on the large-scale campaign was published by the team and can be found on the Hunters' website: https://www.hunters.security/en/blog/github-actions-supply-chain-attack
a. It includes a summary diagram, recommended action items, an explanation of the investigation tool, and more.

3. as mentioned in our previous rapid response updates, the team also created tools to help with the identification of exposed secrets in GitHub Actions logs:
a. Log Fetching Script (Linux/MacOS Version) - Automatically retrieves GitHub Actions workflow logs for a repository: https://github.com/axon-git/rapid-response/blob/main/GitHub%20Actions%20Supply%20Chain%20-%20tj-actions_reviewdog/linux_fetch_github_workflow_logs.sh

b. Log Fetching Script (Windows Version) - Automatically retrieves GitHub Actions workflow logs for a repository: https://github.com/axon-git/rapid-response/blob/main/GitHub%20Actions%20Supply%20Chain%20-%20tj-actions_reviewdog/windows_fetch_github_workflow_logs.ps1

c. Secret Scanner - A Python script that scans the downloaded logs for secrets potentially exfiltrated via the compromised action: https://github.com/axon-git/rapid-response/blob/main/GitHub%20Actions%20Supply%20Chain%20-%20tj-actions_reviewdog/cve_2025_30066_scanner.py

If you encounter any findings that require further assistance, please feel free to reach out.

Sincerely,
Team AXON.
Posted Mar 23, 2025 - 11:52 UTC

Update

Dear Customers,

As part of our ongoing response, we’ve created tools to help you identify exposed secrets in your GitHub Actions logs.

1. Log Fetching Script - Automatically retrieves GitHub Actions workflow logs for a repository:
a. Linux/macOS version: https://github.com/axon-git/rapid-response/blob/main/GitHub%20Actions%20Supply%20Chain%20-%20tj-actions_reviewdog/linux_fetch_github_workflow_logs.sh
b. Windows PowerShell version: https://github.com/axon-git/rapid-response/blob/main/GitHub%20Actions%20Supply%20Chain%20-%20tj-actions_reviewdog/windows_fetch_github_workflow_logs.ps1
c. If you prefer not to use the provided scripts, you can download logs manually via the GitHub UI:
1. Go to your repository's Actions tab.
2. Open a workflow run you’d like to inspect.
3. Click the “Download logs” button in the upper-right corner of the workflow page.
4. Save and extract the logs locally.
5. Run the scanner script on the extracted logs.
2. Secret Scanner - A Python script that scans the downloaded logs for secrets potentially exfiltrated via the compromised action.
a. Scanner script: https://github.com/axon-git/rapid-response/blob/main/GitHub%20Actions%20Supply%20Chain%20-%20tj-actions_reviewdog/cve_2025_30066_scanner.py

If you encounter false positives or unexpected findings while using the tool, we encourage you to reach out and share your insights with us.

Sincerely,
Team AXON.
Posted Mar 21, 2025 - 09:38 UTC

Update

Dear Customers,

Our team, AXON, is continuing in-depth threat research on the ongoing series of GitHub Actions supply chain attacks.
In the meantime, all customers for whom relevant GitHub audit logs have been identified now have access to their published AXON reports in the Hunters portal.

1. Below is the latest list of potentially compromised GitHub Actions:

tj-actions/changed-files
tj-actions/eslint-changed-files
reviewdog/action-setup
reviewdog/action-shellcheck
reviewdog/action-composite-template
reviewdog/action-staticcheck
reviewdog/action-ast-grep
reviewdog/action-typos

Note: At this point, there is a possibility that additional compromised GitHub Actions related to Reviewdog have yet to be disclosed.

2. Below is the latest list of GitHub search queries that can help identify the use of potentially compromised GitHub Actions within your GitHub organization:

https://github.com/search?q=org%3Ainsert-your-github-org-name%20uses%3A%20tj-actions%2Fchanged-files%20language%3AYAML%20path%3A.github%2F&type=code

https://github.com/search?q=org%3Ainsert-your-github-org-name+(reviewdog%2Faction-setup+OR+reviewdog%2Faction-shellcheck+OR+reviewdog%2Faction-composite-template+OR+reviewdog%2Faction-staticcheck+OR+reviewdog%2Faction-ast-grep+OR+reviewdog%2Faction-typos+OR+tj-actions%2Fchanged-files+OR+tj-actions%2Feslint-changed-files)+language%3AYAML+path%3A.github%2F&type=code

https://github.com/search?q=org%3Ainsert-your-github-org-name+reviewdog+language%3AYAML+path%3A.github%2F&type=code


If you need further assistance with follow-up investigation steps, including reviewing GitHub workflow logs, please feel free to reach out to Team AXON via an AXON request.

Sincerely,
Team AXON.
Posted Mar 20, 2025 - 10:31 UTC

Update

Dear customers,

We are re-sharing Section 4 to include a previously missing part. Please refer to this updated version for the complete details.

4. It is recommended to conduct a search in organizational repositories to identify any usage of reviewdog actions as well.

Here are examples for GitHub search queries that can be used to identify the usage of relevant GitHub actions in your organization.
Please modify the insert-your-github-org-name placeholder to your actual organization name:

a. https://github.com/search?q=org%3Ainsert-your-github-org-name+(reviewdog%2Faction-setup+OR+reviewdog%2Faction-shellcheck+OR+reviewdog%2Faction-composite-template+OR+reviewdog%2Faction-staticcheck+OR+reviewdog%2Faction-ast-grep+OR+reviewdog%2Faction-typos+OR+tj-actions%2Fchanged-files)+language%3AYAML+path%3A.github%2F&type=code

b. https://github.com/search?q=org%3Ainsert-your-github-org-name%20uses%3A%20tj-actions%2Fchanged-files%20language%3AYAML%20path%3A.github%2F&type=code

c. https://github.com/search?q=org%3Ainsert-your-github-org-name+reviewdog+language%3AYAML+path%3A.github%2F&type=code
Posted Mar 18, 2025 - 18:54 UTC

Update

Dear Customers,

Team AXON continues to monitor and assess a recently disclosed CI/CD supply-chain attack affecting the widely used tj-actions/changed-files GitHub Action. According to the latest reports, the scope of this attack extends beyond a single action, with additional compromised GitHub Actions identified.

Below is a brief update on the current RR state

1. AXON reports were shared with all the customers for which we identified any indication for potential usage of the tj-actions/changed-files GitHub Action based on ingested GitHub audit logs. However, it is important to note that GitHub audit logs do not provide sufficient details to definitively confirm whether other customers have used or are currently using the affected GitHub Action.

2. Hence, it is recommended to follow our previously shared recommendations and conduct a thorough search across organizational repositories to identify any usage of tj-actions/changed-files.

3. Important update: According to latest publications, there is a high likelihood that additional GitHub Actions were compromised prior to tj-actions/changed-files, including multiple reviewdog actions, such as reviewdog/action-setup. While this particular action is significantly less popular, the nature of the threat remains similar and requires the same level of response measures to mitigate potential risks effectively.

4. It is recommended to conduct a search in organizational repositories to identify any usage of reviewdog actions as well.

Here are examples for GitHub search queries that can be used to identify the usage of relevant GitHub actions in your organization.
Please modify the "" placeholder to your actual organization name:

a. https://github.com/search?q=org%3A+(reviewdog%2Faction-setup+OR+reviewdog%2Faction-shellcheck+OR+reviewdog%2Faction-composite-template+OR+reviewdog%2Faction-staticcheck+OR+reviewdog%2Faction-ast-grep+OR+reviewdog%2Faction-typos+OR+tj-actions%2Fchanged-files)+language%3AYAML+path%3A.github%2F&type=code

b. https://github.com/search?q=org%3A%20uses%3A%20tj-actions%2Fchanged-files%20language%3AYAML%20path%3A.github%2F&type=code

c. https://github.com/search?q=org%3A+reviewdog+language%3AYAML+path%3A.github%2F&type=code


5. Based on the information available so far, the expected behavior of the compromised actions remains consistent—attempting to dump secrets into Workflow Logs. However, it is important to note that not all malicious commits deployed by the threat actor contained the same curl command to fetch the malicious payload from Gist, indicating potential variations in the attack execution.

Sections 6 to 8 outline the same recommendations we previously provided, all of which are relevant and strongly recommended for addressing any findings related to the compromised actions:

6. Complete Removal Across All Branches – Remove all references to the potentially compromised actions from all branches, not just the main branch, to prevent unintended execution.

7. Secret Rotation if Exposure is Detected – If any secrets were compromised, immediate rotation is advised.

8. Handling Workflow Logs – Deleting the affected workflow can reduce the risk of further exposure. However, for forensic analysis, we recommend retaining a secure copy of the log contents from the exposure window before deletion.


This incident remains under active evaluation, we are committed to providing timely updates, insights, and recommendations to ensure our customers remain secure. A detailed AXON report outlining our findings, insights, and recommended actions will be shared upon the conclusion of our Rapid Response efforts.

If you have any questions or concerns, please do not hesitate to contact us.

Sincerely,
Team AXON.
Posted Mar 18, 2025 - 17:48 UTC

Investigating

Dear Customers,

Team AXON is actively monitoring and assessing a recently disclosed CI/CD supply-chain attack involving the widely used tj-actions/changed-files GitHub Action. This action was compromised with a malicious payload designed to potentially exfiltrate CI/CD secrets, exposing them through GitHub Actions build logs.

Key Technical Details and Initial Recommendations:

1. Increased Risk for Public Repositories – Publicly accessible workflow logs pose a higher risk, as they may allow threat actors to extract secrets directly.
2. Malicious Commit – Most existing release tags were altered to point to the same malicious commit (hash: 0e58ed8671d6b60d0890c21b07f8835ace038e67). The attacker modified tags to reference the malicious commit, affecting prior versions as well.
3. Until the investigation concludes, we strongly advise stopping the use of any version of tj-actions/changed-files.
4. Complete Removal Across All Branches – Remove all references to this action from all branches, not just the main branch, to prevent unintended execution.
5. Code Search for Exposure – Conduct a thorough search across organizational repositories to identify any usage of tj-actions/changed-files.
6. Secret Rotation if Exposure is Detected – If any secrets were compromised, immediate rotation is advised.
7. Handling Workflow Logs – Deleting the affected workflow can reduce the risk of further exposure. However, for forensic analysis, we recommend retaining a secure copy of the log contents from the exposure window before deletion.

This incident remains under active evaluation, we are committed to providing timely updates, insights, and recommendations to ensure our customers remain secure. A detailed AXON report outlining our findings, insights, and recommended actions will be shared upon the conclusion of our Rapid Response efforts.

If you have any questions or concerns, please do not hesitate to contact us.

Sincerely,
Team AXON
Posted Mar 16, 2025 - 06:11 UTC
This incident affected: Rapid Response.
Current Status Powered by Atlassian Statuspage