On March 14 2025 at 16:57:45 UTC the tj-action/changed-files GitHub action was
compromised with commit 0e58ed8 ("chore(deps): lock file maintenance (#2460)").
This commit was added to all 361 tagged versions of the GitHub action. This
malicious commit results in a script that can leak CI/CD secrets from runner
memory.The compromised action has been removed from GitHub. We are discovering open source projects which are using the compromised action. StepSecurity [0] and Semgrep [1] posted early analysis. Cheers, Mark [0] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised [1] https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
