![]() |
|
Message-ID: <CAK84RTWeQW-+SAFR5V+Y_utGT8U30NaoVxYu+7CfZz18EQ0Vag@mail.gmail.com> Date: Sat, 15 Mar 2025 12:03:47 -0700 From: Mark Esler <mark.esler@...inguard.dev> To: oss-security@...ts.openwall.com Subject: tj-action/changed-files GitHub action was compromised On March 14 2025 at 16:57:45 UTC the tj-action/changed-files GitHub action was compromised with commit 0e58ed8 ("chore(deps): lock file maintenance (#2460)"). This commit was added to all 361 tagged versions of the GitHub action. This malicious commit results in a script that can leak CI/CD secrets from runner memory. The compromised action has been removed from GitHub. We are discovering open source projects which are using the compromised action. StepSecurity [0] and Semgrep [1] posted early analysis. Cheers, Mark [0] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised [1] https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.