https://community.isc2.org/t5/Threats/GitHub-Actions-Supply-Chain-Compromise-tj-actions/m-p/78083#M1548 <P>Hi All</P><P>&nbsp;</P><P>A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally targeted the widely used “tj-actions/changed-files” utility, is now believed to have originated from an earlier breach of the “reviewdog/action-setup@v1” GitHub Action, according to a report.</P><P>&nbsp;</P><P>Source:&nbsp; Cryptogram - Bruce Schneier</P><P>&nbsp;</P><P>CISA confirmed the vulnerability has been patched in version 46.0.1.</P><P>Given that the utility is used by more than 23,000 GitHub repositories, the scale of potential impact has raised significant alarm throughout the developer community.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Mar 2025 03:06:24 GMT Caute_cautim 2025-03-21T03:06:24Z https://community.isc2.org/t5/Threats/GitHub-Actions-Supply-Chain-Compromise-tj-actions/m-p/77926#M1539 <P><SPAN>tj-actions/changed-files, has been compromised with a payload that appears to attempt to dump secrets, impacting thousands of CI pipelines.</SPAN></P><P>&nbsp;</P><P><SPAN><A href="https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised" target="_blank">https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised</A></SPAN></P><P><SPAN><A href="https://www.upwind.io/feed/github-actions-supply-chain-compromise-tj-actions-changed-files-action" target="_blank">https://www.upwind.io/feed/github-actions-supply-chain-compromise-tj-actions-changed-files-action</A></SPAN></P><P>&nbsp;</P> Sat, 15 Mar 2025 17:45:34 GMT https://community.isc2.org/t5/Threats/GitHub-Actions-Supply-Chain-Compromise-tj-actions/m-p/77926#M1539 akkem 2025-03-15T17:45:34Z https://community.isc2.org/t5/Threats/GitHub-Actions-Supply-Chain-Compromise-tj-actions/m-p/77972#M1542 We always recommend using a checksum or digest before deploying anything to a system. If you have verified the SHA value during installation to ensure you're using the correct version of tj-actions, then you are not compromised. Otherwise, regardless of the tag, all versions are vulnerable, as tags can be modified to push the same vulnerable code. Mon, 17 Mar 2025 23:50:03 GMT https://community.isc2.org/t5/Threats/GitHub-Actions-Supply-Chain-Compromise-tj-actions/m-p/77972#M1542 akkem 2025-03-17T23:50:03Z https://community.isc2.org/t5/Threats/GitHub-Actions-Supply-Chain-Compromise-tj-actions/m-p/77986#M1546 <P>This is very informative. Thank you for sharing your time and experience with us in this forum&nbsp;<a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/111970903">@akkem</a>.<BR /><BR /></P><P>&nbsp;</P> Tue, 18 Mar 2025 12:04:19 GMT https://community.isc2.org/t5/Threats/GitHub-Actions-Supply-Chain-Compromise-tj-actions/m-p/77986#M1546 Kyaw_Myo_Oo 2025-03-18T12:04:19Z https://community.isc2.org/t5/Threats/GitHub-Actions-Supply-Chain-Compromise-tj-actions/m-p/78083#M1548 <P>Hi All</P><P>&nbsp;</P><P>A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally targeted the widely used “tj-actions/changed-files” utility, is now believed to have originated from an earlier breach of the “reviewdog/action-setup@v1” GitHub Action, according to a report.</P><P>&nbsp;</P><P>Source:&nbsp; Cryptogram - Bruce Schneier</P><P>&nbsp;</P><P>CISA confirmed the vulnerability has been patched in version 46.0.1.</P><P>Given that the utility is used by more than 23,000 GitHub repositories, the scale of potential impact has raised significant alarm throughout the developer community.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Mar 2025 03:06:24 GMT https://community.isc2.org/t5/Threats/GitHub-Actions-Supply-Chain-Compromise-tj-actions/m-p/78083#M1548 Caute_cautim 2025-03-21T03:06:24Z https://community.isc2.org/t5/Threats/GitHub-Actions-Supply-Chain-Compromise-tj-actions/m-p/78179#M1552 Supply chain and OAuth attacks are on the rise in GitHub, threat campaign targeting over 8,000 repositories with the goal of luring developers into granting full repository access. Mitiga’s researchers explain an active GitHub compromise and large-scale phishing campaign, along with providing recommendations for threat hunting and mitigation.<BR /><A href="https://www.mitiga.io/blog/uncovering-hidden-threats-hunting-non-human-identities-in-github?utm_source=Marketo&amp;utm_medium=Email&amp;utm_campaign=MonthlyNewsletter&amp;mkt_tok=NDIyLURKUC0xNjEAAAGZZv92weMEvYsFdrKojktdAFzWR24xakr8gAQ4JFXwD4D1oaHd4FeyKsRbNbGfYGuoX_FY9pI0sro_xCvPNeT1ye-KSXEvisvdHk8s1SdD" target="_blank">https://www.mitiga.io/blog/uncovering-hidden-threats-hunting-non-human-identities-in-github?utm_source=Marketo&amp;utm_medium=Email&amp;utm_campaign=MonthlyNewsletter&amp;mkt_tok=NDIyLURKUC0xNjEAAAGZZv92weMEvYsFdrKojktdAFzWR24xakr8gAQ4JFXwD4D1oaHd4FeyKsRbNbGfYGuoX_FY9pI0sro_xCvPNeT1ye-KSXEvisvdHk8s1SdD</A><BR /> Mon, 24 Mar 2025 12:42:31 GMT https://community.isc2.org/t5/Threats/GitHub-Actions-Supply-Chain-Compromise-tj-actions/m-p/78179#M1552 akkem 2025-03-24T12:42:31Z