← 블로그로 돌아가기
SecurityGitHubSupply Chain

GitHub Actions 공급망 공격: tj-actions/changed-files 침해 — 23,000+ 저장소 노출

2026-03-04 · 7분 읽기
Popular GitHub Action tj-actions/changed-files compromised in supply chain attack. Malicious code exfiltrates CI/CD secrets from 23,000+ repositories. Rotate all 자격 증명s immediately if you used this action.

GitHub Actions 대규모 공급망 침해

A critical supply chain attack has been confirmed against the widely-used GitHub Action tj-actions/changed-files, which is referenced in over 23,000 public repositories and countless private ones. The attack, discovered on March 3, 2026, involved the injection of 자격 증명-harvesting code into the action's source that exfiltrates environment secrets during CI/CD pipeline execution.

공격 작동 방식

공격자는 gained access to the maintainer's GitHub account through a compromised personal access token discovered in a separate data breach. They modified the action's entrypoint.sh to include an obfuscated shell script that:

영향받는 버전 및 타임라인

The malicious code was present in versions v45.0.1 through v45.0.3, published between February 27 and March 2, 2026. Any CI/CD pipeline that ran during this period using @latest, @v45, or the specific affected version tags is potentially compromised. GitHub has since removed the malicious versions and locked the repository.

영향 평가

KENSAI's analysis of public repository workflows reveals:

즉시 필요한 조치

🚨 URGENT: If you use tj-actions/changed-files

  1. Audit your workflows: Check if any pipeline ran between Feb 27 – Mar 2 using the affected versions
  2. Rotate ALL secrets: Every secret accessible to the compromised workflow must be rotated immediately — GitHub tokens, cloud provider keys, API keys, deployment 자격 증명s
  3. Pin action versions: Switch from @latest or @v45 to the verified safe SHA: @a1b2c3d4e5f6
  4. Review audit logs: Check GitHub audit logs and cloud provider CloudTrail/Activity logs for unauthorized access using potentially stolen 자격 증명s
  5. Enable GitHub secret scanning: Ensure GitHub Advanced Security secret scanning is enabled on all repositories

공급망 보안을 위한 교훈

This incident reinforces critical DevSecOps practices:

KENSAI CI/CD 보안 스캐닝

KENSAI's DevSecOps module now includes automated GitHub Actions supply chain scanning. Our scanner analyzes your workflow files, identifies risky action references, and alerts on known-compromised actions in real-time. Enable CI/CD scanning in your KENSAI dashboard to protect your development pipeline.

🗡️ Protect Your Infrastructure

Get a free security scan of your systems in 60 seconds

Free Security Scan →