A recent breach in tj-actions/changed-files, a GitHub Action used by 23,000+ repositories, exposed sensitive workflow secrets. Attackers injected a payload to dump CI/CD runner memory data, leaking environment variables and secrets in workflow logs.
Immediate Steps for Affected Users:
- Identify usage of tj-actions/changed-files in your workflows.
- Review workflow logs for any suspicious activity.
- Rotate all exposed secrets immediately.
- Investigate for any signs of malicious activity.
Key Takeaway: This incident underscores the importance of strict security controls in development pipelines, governance over third-party services, and Pipeline-Based Access Controls (PBAC).
You Should Know:
1. Identify Usage:
grep -r "tj-actions/changed-files" .github/workflows/
This command searches for the compromised GitHub Action in your workflow files.
2. Review Workflow Logs:
- Navigate to the “Actions” tab in your GitHub repository.
- Check the logs of recent workflow runs for any unusual activity or leaked secrets.
3. Rotate Secrets:
- Use GitHub’s built-in secret management to update your secrets:
gh secret set <SECRET_NAME> --body "<NEW_SECRET_VALUE>"
- Ensure all collaborators update their local environments with the new secrets.
4. Investigate Malicious Activity:
- Use GitHub’s audit log to track any suspicious actions:
gh api /orgs/{org}/audit-log --paginate - Monitor for any unauthorized access or changes to your repositories.
5. Enhance Security:
- Implement Pipeline-Based Access Controls (PBAC) to restrict access to sensitive workflows.
- Regularly review and update your third-party actions to ensure they are from trusted sources.
What Undercode Say:
This incident highlights the critical need for robust security practices in CI/CD pipelines. Always verify the integrity of third-party actions and regularly audit your workflows. Implement strict access controls and monitor for any unusual activity. By following these steps, you can mitigate the risk of similar attacks and protect your development environment.
Additional Commands for Enhanced Security:
- Check for Vulnerabilities in Dependencies:
npm audit
or
yarn audit
- Scan for Secrets in Your Codebase:
trufflehog --regex --entropy=False .
Monitor GitHub Actions in Real-Time:
gh run watch
List All Secrets in a Repository:
gh secret list
Remove a Compromised Secret:
gh secret delete <SECRET_NAME>
Update GitHub Actions:
gh actions update
Stay vigilant and proactive in securing your CI/CD pipelines to prevent future breaches.
References:
Reported By: Unit42 Github – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
