tj-actions/changed-files action compromised

Yikes! A secret-exfiltration attack was snuck into a GitHub Actions action I’ve used in some of my pipelines—three hours after I last used it.

Fortunately, while I’ve used it a lot in the past, the only place I still used it as of the time of the incident was my private repo for Innerhelm), and only public repos are affected, since the exfiltration mechanism was double-base64 encoded logging. (“There is no evidence that the leaked secrets were exfiltrated to any remote network destination.” Phew!)

I’ve removed that action from Innerhelm’s workflow now, but the real takeaway here is to pin your actions to specific commit hashes (which I have also done for the single remaining third-party action in my pipelines).

Mar 26, 2025 · No comments yet