# **GitHub Actions Supply-Chain Breach: tj-actions/changed-files Exploited with Credential-Stealing Malware**
## **Overview**
A recent supply-chain breach has affected the open-source GitHub Actions package, **tj-actions/changed-files**, impacting more than **23,000 organizations**. This incident involved unauthorized alterations to the package, which enabled attackers to acquire sensitive credentials from compromised repositories. The event underscores the increasing dangers linked to open-source software and the necessity for enhanced security practices in **Continuous Integration and Continuous Deployment (CI/CD)** workflows.
—
## **Incident Summary**
The **tj-actions/changed-files** package, which is a popular GitHub Action, was **breached** when attackers obtained unauthorized access to a maintainer’s account. The adversaries changed the package’s **tags**, redirecting them to a harmful file that extracted sensitive credentials from server memory. These credentials were then publicly recorded, making them susceptible to potential exploitation.
### **Main Aspects of the Breach:**
– The **malicious update** was implemented on or prior to **Friday**.
– The update modified the **tags** to redirect to a file that **copied server memory**, searched for credentials, and logged them.
– Numerous repositories utilizing **tj-actions/changed-files** inadvertently revealed their **AWS keys, GitHub Personal Access Tokens (PATs), npm tokens, private RSA keys**, and other critical information.
—
## **Mechanics of the Breach**
1. **Unauthorized Entry:** Attackers gained access to a **tj-actions maintainer’s accounts**.
2. **Malicious Code Insertion:** They changed the **tags** in the repository to lead to a harmful script.
3. **Credential Collection:** The script **gathered credentials** from server memory and logged them.
4. **Public Disclosure:** Numerous repositories using **tj-actions/changed-files** unintentionally **logged their credentials**, granting access to anyone.
### **Factors Contributing to the Attack’s Success:**
– A significant number of GitHub users **trusted tags** over **pinning specific commit hashes**.
– The **malicious update** went undetected immediately, allowing it to propagate.
– Publicly accessible repositories had their credentials exposed to all.
—
## **Response to the Breach**
### **Actions Taken by GitHub**
– **Suspended affected accounts** and eliminated harmful content.
– **Restored the repository** after confirming the problem was resolved.
– **Recommended best practices**, including reviewing GitHub Actions prior to updates.
### **Measures Implemented by tj-actions Maintainers**
– The compromised **bot account’s password** was updated.
– The account was secured with a **passkey**, enforcing **two-factor authentication (2FA)**.
### **Discovery of the Breach**
The security firm **StepSecurity** first identified the breach through **anomaly detection**, observing unusual network traffic. The incident was later validated by **Wiz**, which discovered that **dozens of repositories** had been affected.
—
## **Takeaways & Recommended Practices**
This breach emphasizes the **security risks** associated with **open-source supply chains**. Developers and organizations must implement **stronger security measures** to avert similar events.
### **How to Safeguard Your Repositories**
1. **Pin Specific Commit Hashes**
– Rather than referencing **tags**, utilize **commit hashes** to guarantee you’re utilizing a **verified** version of an action.
2. **Conduct Regular Dependency Audits**
– Review **GitHub Actions** and other dependencies before updates.
– Employ tools like **Dependabot** to identify security vulnerabilities.
3. **Activate Two-Factor Authentication (2FA)**
– Safeguard **maintainer accounts** with **passkeys or hardware security keys**.
4. **Monitor Logs for Irregularities**
– Employ **log monitoring tools** to identify **unexpected credential exposures**.
5. **Restrict Repository Access**
– Limit **GitHub Actions** from accessing **sensitive environment variables**.
6. **Utilize Secrets Management Solutions**
– Securely store credentials using **GitHub Secrets, HashiCorp Vault, or AWS Secrets Manager**.
—
## **Final Thoughts**
The **tj-actions/changed-files** breach serves as a **wake-up call** for developers and organizations that depend on **open-source software**. Supply-chain breaches are becoming increasingly **complex**, and **robust security practices** are vital to prevent **credential theft** and **data breaches**. By **pinning commit hashes, enabling 2FA, auditing dependencies, and monitoring logs**, organizations can **mitigate their risks** and **secure their software supply chains**.
For additional guidance, consult security reports from **StepSecurity**, **Wiz**, and **Semgrep**.
