Follow @Openwall on Twitter for new release announcements and other news
[<prev] [day] [month] [year] [list]
Message-ID: <CAK84RTWeQW-+SAFR5V+Y_utGT8U30NaoVxYu+7CfZz18EQ0Vag@mail.gmail.com>
Date: Sat, 15 Mar 2025 12:03:47 -0700
From: Mark Esler <mark.esler@...inguard.dev>
To: oss-security@...ts.openwall.com
Subject: tj-action/changed-files GitHub action was compromised

On March 14 2025 at 16:57:45 UTC the tj-action/changed-files GitHub action was
compromised with commit 0e58ed8 ("chore(deps): lock file maintenance (#2460)").
This commit was added to all 361 tagged versions of the GitHub action. This
malicious commit results in a script that can leak CI/CD secrets from runner
memory.

The compromised action has been removed from GitHub.

We are discovering open source projects which are using the compromised action.

StepSecurity [0] and Semgrep [1] posted early analysis.

Cheers,
Mark

[0] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
[1] https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.