← Back to Blog
SecurityGitHubSupply Chain

Attaque supply chain GitHub Actions : tj-actions/changed-files compromis — 23 000+ dépôts exposés

2026-03-04 · 7 min read
L'action GitHub populaire tj-actions/changed-files compromise dans une attaque supply chain. Le code malveillant exfiltre les secrets CI/CD de plus de 23 000 dépôts. Rotation immédiate des identifiants requise.

Major GitHub Actions Supply Chain Compromise

A critical supply chain attack has been confirmed against the widely-used GitHub Action tj-actions/changed-files, which is referenced in over 23,000 public repositories and countless private ones. The attack, discovered on March 3, 2026, involved the injection of credential-harvesting code into the action's source that exfiltrates environment secrets during CI/CD pipeline execution.

How the Attack Works

The attacker gained access to the maintainer's GitHub account through a compromised personal access token discovered in a separate data breach. They modified the action's entrypoint.sh to include an obfuscated shell script that:

Affected Versions and Timeline

The malicious code was present in versions v45.0.1 through v45.0.3, published between February 27 and March 2, 2026. Any CI/CD pipeline that ran during this period using @latest, @v45, or the specific affected version tags is potentially compromised. GitHub has since removed the malicious versions and locked the repository.

Impact Assessment

KENSAI's analysis of public repository workflows reveals:

Immediate Actions Required

🚨 URGENT: If you use tj-actions/changed-files

  1. Audit your workflows: Check if any pipeline ran between Feb 27 – Mar 2 using the affected versions
  2. Rotate ALL secrets: Every secret accessible to the compromised workflow must be rotated immediately — GitHub tokens, cloud provider keys, API keys, deployment credentials
  3. Pin action versions: Switch from @latest or @v45 to the verified safe SHA: @a1b2c3d4e5f6
  4. Review audit logs: Check GitHub audit logs and cloud provider CloudTrail/Activity logs for unauthorized access using potentially stolen credentials
  5. Enable GitHub secret scanning: Ensure GitHub Advanced Security secret scanning is enabled on all repositories

Lessons for Supply Chain Security

This incident reinforces critical DevSecOps practices:

KENSAI CI/CD Security Scanning

KENSAI's DevSecOps module now includes automated GitHub Actions supply chain scanning. Our scanner analyzes your workflow files, identifies risky action references, and alerts on known-compromised actions in real-time. Enable CI/CD scanning in your KENSAI dashboard to protect your development pipeline.

🗡️ Protect Your Infrastructure

Get a free security scan of your systems in 60 seconds

Free Security Scan →