Back to the blog
March 21, 2025

Supply chain attack affecting multiple GitHub actions

On March 14, 2025, attackers compromised a popular GitHub action, injecting malicious code to expose sensitive CI/CD secrets within workflow logs.

The Nudge Security Team
SaaS Security Alerts

What Happened?

On March 14, 2025, attackers compromised the popular GitHub Action tj-actions/changed-files, injecting malicious code to expose sensitive CI/CD secrets within workflow logs. This supply chain attack affected a total of 218 repositories, posing significant security risks despite its relatively limited scope.

Attack Methodology

  • Attackers leveraged a compromised GitHub Personal Access Token (PAT) from a separate supply chain attack on the GitHub Action reviewdog/action-setup@v1.
  • Malicious code introduced into tj-actions/changed-files dumped CI/CD secrets (GitHub tokens, DockerHub credentials, npm tokens, AWS credentials) into publicly accessible workflow logs.
  • Many compromised repositories inadvertently exposed secrets because workflow logs were configured to be publicly accessible.

Impact

  • 218 repositories across multiple organizations publicly exposed sensitive secrets.
  • Short-lived GitHub tokens had limited exploitation potential due to quick expiration but other credentials (DockerHub, npm, AWS) posed serious and lasting security risks.
  • Potential for further downstream supply chain attacks due to compromised popular repositories.

Recommended Actions

  • Immediate Credential Rotation: Rotate any secrets exposed by the affected GitHub Actions immediately, especially high-risk credentials (DockerHub, npm, AWS).
  • Log Security: Ensure workflow logs are not publicly accessible and monitor logs for suspicious activity or unauthorized access.
  • Pin GitHub Actions: Use commit SHA hashes rather than mutable tags for referencing GitHub Actions to prevent future supply chain attacks.
  • Dependency Review: Regularly audit GitHub Actions dependencies and enable automated tools like Dependabot to identify and update vulnerable components promptly.
  • Security Best Practices: Review and implement GitHub's recommended security hardening measures for Actions workflows.

References

Table of Contents

Example H2
Example H3
Example H4
Example H5
Example H6

Related posts

Product
A deep dive on SaaS spend management

How to use spend data and insights to prioritize your SaaS rationalization efforts, maximize impact, and earn quick wins.

Read more
Guides
SaaS security checklist: 9 best practices to try

How to expose shadow IT, eliminate SaaS sprawl, and take control of your supply chain.

Read more
Report

Debunking the "stupid user" myth in security

Exploring the influence of employees’ perception
and emotions on security behaviors

Download the report
Watch the webinar

Let’s stay in touch.

Sign up for product updates, resources, and news. We promise we'll never send you spam. Or boring emails. Ever.
Product
OverviewChangelogPricingStatus
Resources
FAQSecurity ProfilesSaaS Security GlossaryOAuth Scope OverviewsData Breach ExplorerKnowledge BaseAPI Documentation
Company
Our ApproachOur TeamPress
Assurance
Trust & SecurityTerms & ConditionsPrivacy PolicySitemap

Use Cases

SaaS Security
SaaS Security Posture Management (SSPM)Okta SecurityAudit & ComplianceSaaS Attack SurfaceSOC 2 Compliance
SaaS Management
Shadow ITSaaS SpendAI SecurityCloud Governance
Third-Party Risk Management
Supply Chain SecurityOAuth Risk Management
Identity Governance
SSO OnboardingUser Access ReviewsEmployee OffboardingAccount Takeover Detection
© {year}, Nudge Security
1401 Lavaca St, Suite 40219
Austin, TX  78701