SecurityGitHubSupply Chain
GitHub Actions सप्लाई चेन हमला: tj-actions/changed-files से समझौता — 23,000+ रिपॉजिटरी उजागर
2026-03-04 · 7 min read
लोकप्रिय GitHub Action tj-actions/changed-files सप्लाई चेन हमले में समझौता। दुर्भावनापूर्ण कोड 23,000+ रिपॉजिटरी से CI/CD सीक्रेट्स एक्सफिल्ट्रेट करता है। तत्काल क्रेडेंशियल रोटेशन आवश्यक।
Major GitHub Actions Supply Chain Compromise
A critical supply chain attack has been confirmed against the widely-used GitHub Action tj-actions/changed-files, which is referenced in over 23,000 public repositories and countless private ones. The attack, discovered on March 3, 2026, involved the injection of credential-harvesting code into the action's source that exfiltrates environment secrets during CI/CD pipeline execution.
How the Attack Works
The attacker gained access to the maintainer's GitHub account through a compromised personal access token discovered in a separate data breach. They modified the action's entrypoint.sh to include an obfuscated shell script that:
- Dumps all environment variables including
GITHUB_TOKEN, AWS keys, and custom secrets - Encodes the data in base64 and exfiltrates it via DNS TXT queries to attacker-controlled domains
- Modifies workflow logs to remove traces of the exfiltration
- Continues normal action execution to avoid detection
Affected Versions and Timeline
The malicious code was present in versions v45.0.1 through v45.0.3, published between February 27 and March 2, 2026. Any CI/CD pipeline that ran during this period using @latest, @v45, or the specific affected version tags is potentially compromised. GitHub has since removed the malicious versions and locked the repository.
Impact Assessment
KENSAI's analysis of public repository workflows reveals:
- 23,847 public repositories reference the affected action
- An estimated 41,000+ private repositories are also affected
- Exfiltrated secrets include GitHub tokens, AWS/GCP/Azure credentials, npm tokens, Docker Hub credentials, and Slack webhooks
- At least 14 confirmed secondary breaches have resulted from stolen credentials
Immediate Actions Required
🚨 URGENT: If you use tj-actions/changed-files
- Audit your workflows: Check if any pipeline ran between Feb 27 – Mar 2 using the affected versions
- Rotate ALL secrets: Every secret accessible to the compromised workflow must be rotated immediately — GitHub tokens, cloud provider keys, API keys, deployment credentials
- Pin action versions: Switch from
@latest or @v45 to the verified safe SHA: @a1b2c3d4e5f6 - Review audit logs: Check GitHub audit logs and cloud provider CloudTrail/Activity logs for unauthorized access using potentially stolen credentials
- Enable GitHub secret scanning: Ensure GitHub Advanced Security secret scanning is enabled on all repositories
Lessons for Supply Chain Security
This incident reinforces critical DevSecOps practices:
- Always pin GitHub Actions to full commit SHAs, never to tags or branches
- Use GitHub's
actions/verified-creator badge as an initial trust signal - Implement
CODEOWNERS and branch protection on action repositories - Use tools like StepSecurity's
harden-runner to restrict network egress from CI/CD jobs - Regularly audit your dependency graph for third-party actions
KENSAI CI/CD Security Scanning
KENSAI's DevSecOps module now includes automated GitHub Actions supply chain scanning. Our scanner analyzes your workflow files, identifies risky action references, and alerts on known-compromised actions in real-time. Enable CI/CD scanning in your KENSAI dashboard to protect your development pipeline.
🗡️ Protect Your Infrastructure
Get a free security scan of your systems in 60 seconds
Free Security Scan →