The tj-actions/changed-files compromise is one of the most intriguing and widespread supply chain attacks observed recently. The attack specifically targeted workflows referencing “uses: tj-actions/changed-files” and lasted approximately 12 hours. The attack did not involve external exfiltration of secrets; instead, secrets were only viewable directly from the GitHub portal. This means that private GitHub repository secrets cannot be accessed by attackers unless they have direct access to view action contents.
Key Takeaways:
- Timeline: The attack started roughly 20 hours ago and lasted about 12 hours.
- Nature of the Attack: No external exfiltration of secrets; secrets are only viewable directly from the GitHub portal.
- Actual Risk: Workflows must explicitly reference secrets (e.g.,
${{ secrets.ENV_SECRET }}) to leak sensitive information. Workflows without explicit references to custom secrets were not meaningfully impacted.
How to Check if You Were Vulnerable:
- Global search for references to the compromised action: Link
- Global search for references to the compromised action + custom secrets declaration: Link
What Next?
After identifying a matched workflow, click on “View Runs” on the top right of the file, then observe whether your secrets were leaked in a double-encoded base64 payload under the expanded “changed-files” line.
You Should Know:
- GitHub Commands to Rotate Secrets:
</li> </ul> <h1>Rotate GitHub Personal Access Token</h1> gh auth login --with-token < new_token.txt <h1>Revoke old token</h1> gh auth logout
- AWS CLI Commands to Rotate AWS Keys:
</li> </ul> <h1>Create a new AWS access key</h1> aws iam create-access-key --user-name <username> <h1>Deactivate old AWS access key</h1> aws iam update-access-key --access-key-id <old-key-id> --status Inactive --user-name <username> <h1>Delete old AWS access key</h1> aws iam delete-access-key --access-key-id <old-key-id> --user-name <username>
- Linux Commands to Check for Malicious Activity:
</li> </ul> <h1>Check for unusual processes</h1> ps aux | grep -i 'changed-files' <h1>Monitor network connections</h1> netstat -tuln | grep -i 'github'
What Undercode Say:
Supply chain attacks like the tj-actions/changed-files compromise highlight the importance of robust vulnerability management and secret rotation practices. Regularly rotating secrets, monitoring for unusual activity, and using tools to detect and neutralize such attacks are crucial. The attack underscores the need for continuous vigilance in the OSS landscape, where sophisticated payloads can easily bypass traditional blue team defenses. For more detailed information, refer to the Wiz Blog.
References:
Reported By: Activity 7306719914562600960 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅Join Our Cyber World:
- Linux Commands to Check for Malicious Activity:
- AWS CLI Commands to Rotate AWS Keys:
