Evan (CC'd) wrote tooling to detect tj-actions/changed-files compromises over the weekend.
tj-scan is now public and aims to help others review logs from their private and public repos for leaked credentials. https://github.com/chainguard-dev/tj-scan Mark On Sat, Mar 15, 2025 at 12:03 PM Mark Esler <mark.es...@chainguard.dev> wrote: > > On March 14 2025 at 16:57:45 UTC the tj-action/changed-files GitHub action was > compromised with commit 0e58ed8 ("chore(deps): lock file maintenance > (#2460)"). > This commit was added to all 361 tagged versions of the GitHub action. This > malicious commit results in a script that can leak CI/CD secrets from runner > memory. > > The compromised action has been removed from GitHub. > > We are discovering open source projects which are using the compromised > action. > > StepSecurity [0] and Semgrep [1] posted early analysis. > > Cheers, > Mark > > [0] > https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised > [1] > https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
