Back to the blog

Supply chain attack affecting multiple GitHub actions

On March 14, 2025, attackers compromised a popular GitHub action, injecting malicious code to expose sensitive CI/CD secrets within workflow logs.

March 21, 2025
The Nudge Security Team
SaaS Security Alerts

What Happened?

On March 14, 2025, attackers compromised the popular GitHub Action tj-actions/changed-files, injecting malicious code to expose sensitive CI/CD secrets within workflow logs. This supply chain attack affected a total of 218 repositories, posing significant security risks despite its relatively limited scope.

‍

Attack Methodology

  • Attackers leveraged a compromised GitHub Personal Access Token (PAT) from a separate supply chain attack on the GitHub Action reviewdog/action-setup@v1.
  • Malicious code introduced into tj-actions/changed-files dumped CI/CD secrets (GitHub tokens, DockerHub credentials, npm tokens, AWS credentials) into publicly accessible workflow logs.
  • Many compromised repositories inadvertently exposed secrets because workflow logs were configured to be publicly accessible.

‍

Impact

  • 218 repositories across multiple organizations publicly exposed sensitive secrets.
  • Short-lived GitHub tokens had limited exploitation potential due to quick expiration but other credentials (DockerHub, npm, AWS) posed serious and lasting security risks.
  • Potential for further downstream supply chain attacks due to compromised popular repositories.

‍

Recommended Actions

  • Immediate Credential Rotation: Rotate any secrets exposed by the affected GitHub Actions immediately, especially high-risk credentials (DockerHub, npm, AWS).
  • Log Security: Ensure workflow logs are not publicly accessible and monitor logs for suspicious activity or unauthorized access.
  • Pin GitHub Actions: Use commit SHA hashes rather than mutable tags for referencing GitHub Actions to prevent future supply chain attacks.
  • Dependency Review: Regularly audit GitHub Actions dependencies and enable automated tools like Dependabot to identify and update vulnerable components promptly.
  • Security Best Practices: Review and implement GitHub's recommended security hardening measures for Actions workflows.

‍

References

Related posts

Guides
SaaS identity and access management best practices

How to streamline IAM, starting with a complete inventory of every and SaaS app that’s been introduced into your organization.

Read more

Product
A deep dive on SaaS spend management

How to use spend data and insights to prioritize your SaaS rationalization efforts, maximize impact, and earn quick wins.

Read more

Guides
A SaaS security best practices guide

How to expose shadow IT, eliminate SaaS sprawl, and take control of your supply chain.

Read more

Report

Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors

Download the report
Watch the webinar

Let’s stay in touch.

Sign up for product updates, resources, and news. We promise we'll never send you spam. Or boring emails. Ever.
Product
OverviewChangelogPricingStatus
Resources
FAQSecurity ProfilesSaaS Security GlossaryKnowledge BaseAPI Documentation
Company
Our ApproachOur TeamPress
Assurance
Trust & SecurityTerms & ConditionsPrivacy PolicySitemap

Use Cases

SaaS Security
SaaS Security Posture Management (SSPM)Audit & ComplianceSaaS Attack SurfaceAccount Takeover Detection
SaaS Management
Shadow ITSaaS SpendCloud GovernanceAI Security
Third-Party Risk Management
Supply Chain SecurityOAuth Risk Management
Identity Governance
User Access ReviewsEmployee OffboardingSSO Onboarding
© {year}, Nudge Security
1401 Lavaca St, Suite 40219
Austin, TX  78701