A recent supply chain attack compromised the tj-actions/changed-files GitHub Action, utilized by over 23,000 repositories. Attackers altered its code to leak sensitive developer secrets into build logs, posing risks especially for public repositories. The nature of the attack indicates a breach of a bot account's access token. While no external exfiltration of secrets from public repos has been confirmed, maintainers of both public and private projects are advised to consider their projects compromised. The full intent and identity behind the attack remain unknown, with similar malicious activity noted in another project.
This attack appears to have been conducted from a PAT [personal access token] linked to @tj-actions-bot account to which 'GitHub is not able to determine how this PAT was compromised,' said software engineer Tonye Jack, author of tj-actions.
The security shop said attackers compromised the project at some unknown point before March 14 and altered its code so the Action would leak secrets from a project's developer workflow into build logs.
Collection
[
|
...
]