Risky Bulletin Newsletter
March 17, 2025
Risky Bulletin: GitHub supply chain attack prints everyone's secrets in build logs
Presented by

News Editor
A threat actor compromised a popular GitHub Action and added malicious code that prints out secret tokens in project build logs.
The incident took place on Friday and impacted tj-actions/changed-files (hereinafter Changed-Files), an automated action used by over 23,000 GitHub projects.
The action works by analyzing pull requests and detecting what files. It is used in complex CI/CD pipelines to trigger other actions based on what files are changed. It is a basic but very important automation script, and the reason why it become one of GitHub's most popular actions.