Responding To The March 2025 Github Actions Supply Chain Attack

Responding To The March 2025 GitHub Actions Supply Chain Attack

Responding To The March 2025 GitHub Actions Supply Chain Attack On march 14, 2025, a significant supply chain attack compromised the "tj actions/changed files" github action, impacting over 23,000 repositories. this incident, tracked as. Cybersecurity experts covering the attack have all advised that an immediate response is required from project maintainers to ensure their secrets aren't exposed.

GitHub Supply Chain Attack Spills Secrets From 23K Projects • The Register

GitHub Supply Chain Attack Spills Secrets From 23K Projects • The Register The u.s. cybersecurity and infrastructure security agency (cisa) on tuesday added a vulnerability linked to the supply chain compromise of the github action, tj actions/changed files, to its known exploited vulnerabilities (kev) catalog. A new supply chain attack on github, dubbed 'ghostaction,' has compromised 3,325 secrets, including pypi, npm, dockerhub, github tokens, cloudflare, and aws keys. (updated march 19, 2025) the compromise of tj actions/changed files was potentially enabled by a compromise of another github action, reviewdog/action setup@v1 (tracked as cve 2025 30154), which occurred around the same time. the following actions may also be affected:. Review github actions runs from the affected timeframe, looking for suspicious script executions. look for encoded payloads in workflow logs, particularly double encoded base64 strings. rotate secrets immediately if leakage is confirmed, especially in public repositories.

GitHub Actions Supply Chain Attack(s): Tj-actions & Reviewdog

GitHub Actions Supply Chain Attack(s): Tj-actions & Reviewdog (updated march 19, 2025) the compromise of tj actions/changed files was potentially enabled by a compromise of another github action, reviewdog/action setup@v1 (tracked as cve 2025 30154), which occurred around the same time. the following actions may also be affected:. Review github actions runs from the affected timeframe, looking for suspicious script executions. look for encoded payloads in workflow logs, particularly double encoded base64 strings. rotate secrets immediately if leakage is confirmed, especially in public repositories. On march 14, 2025, a critical supply chain attack targeted the widely used github action tj actions/changed files. this action, utilized in over 23,000 repositories, was compromised when attackers injected malicious code, causing ci/cd pipeline secrets to be exposed in github actions logs. Security researchers at stepsecurity first detected the compromise on march 14, 2025, after observing suspicious activity in the github action’s repository. attackers had compromised a github personal access token (pat) used by a bot (@tj actions bot) with privileged access to the repository. Attackers retroactively modified multiple version tags to reference a malicious commit, exposing ci/cd secrets in workflow logs. the vulnerability existed between march 14 and march 15, 2025, and has since been mitigated. this poses a significant risk of unauthorized access to sensitive information. this has been patched in v46.0.1. Wiz threat research has identified dozens of repositories affected by the incident. this includes repos operated by large organizations. among the leaked ci/cd secrets are valid aws access keys, github personal access tokens, private rsa keys and other secrets.

GitHub As Supply-chain Attack Vector | Barracuda Networks Blog

GitHub As Supply-chain Attack Vector | Barracuda Networks Blog On march 14, 2025, a critical supply chain attack targeted the widely used github action tj actions/changed files. this action, utilized in over 23,000 repositories, was compromised when attackers injected malicious code, causing ci/cd pipeline secrets to be exposed in github actions logs. Security researchers at stepsecurity first detected the compromise on march 14, 2025, after observing suspicious activity in the github action’s repository. attackers had compromised a github personal access token (pat) used by a bot (@tj actions bot) with privileged access to the repository. Attackers retroactively modified multiple version tags to reference a malicious commit, exposing ci/cd secrets in workflow logs. the vulnerability existed between march 14 and march 15, 2025, and has since been mitigated. this poses a significant risk of unauthorized access to sensitive information. this has been patched in v46.0.1. Wiz threat research has identified dozens of repositories affected by the incident. this includes repos operated by large organizations. among the leaked ci/cd secrets are valid aws access keys, github personal access tokens, private rsa keys and other secrets.

The GhostAction Supply Chain Attack: Compromised GitHub Workflows And Stolen Secrets