The tj-actions/changed-files GitHub Action has been compromised with malicious updates that enabled attackers to extract credentials from server memory. This open-source software, widely used by over 23,000 organizations, was targeted when unauthorized access was gained to a maintainer's account. The attackers altered code versions' reference tags to direct them to a malicious file that scraped sensitive information, leading to many repositories inadvertently exposing their credentials. Experts emphasize the necessity for stringent audits and the use of commit hashes instead of tags to enhance security in the open-source ecosystem.
The corrupted package, tj-actions/changed-files, is part of tj-actions, a collection of files used by over 23,000 organizations, demonstrating the vulnerability of open-source software.
On Friday or earlier, the source code for tj-actions/changed-files received unauthorized updates that changed the 'tags' developers use to reference specific code versions.
HD Moore, founder of runZero, highlighted the risks, saying actions can modify source code and access secret variables, leading to significant vulnerabilities if not audited.
The aftermath reveals, many publicly accessible repositories running tj-actions displayed their sensitive credentials in logs that anyone could view.
Collection
[
|
...
]