Published on: 2025-04-28 04:31:26
A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally targeted the widely used “tj-actions/changed-files” utility, is now believed to have originated from an earlier breach of the “reviewdog/action-setup@v1” GitHub Action, according to a report. The initial compromise of tj-actions/changed-files, designated as CVE-2025-30066, was discovered last week when resea
Keywords: access action actions chain github
Find related items on AmazonPublished on: 2025-04-30 05:15:19
Image by Getty / Futurism Studies Scientists believe they may have found the reason why some patients get so sick from the contrast dye they're injected with before magnetic resonance imaging (MRI) scans. As a University of New Mexico (UNM) press release explains, researchers at the institution's medical school believe they've found a link between oxalic acid — a molecule found in foods as disparate as sweet potatoes, spinach, chocolate and almonds, as well as some Vitamin C supplements — and
Keywords: dye gadolinium mri patients reactions
Find related items on AmazonPublished on: 2025-05-15 11:46:50
A cascading supply chain attack on GitHub that targeted Coinbase in March has now been traced back to a single token stolen from a SpotBugs workflow, which allowed a threat actor to compromise multiple GitHub projects. The popular static analysis tool SpotBugs was breached in November 2024, leading to the compromise of Reviewdog, which subsequently led to the infection of tj-actions/changed-files. The multi-step supply chain attack eventually exposed secrets in 218 repositories, while the late
Keywords: actions attack attacker chain malicious
Find related items on AmazonPublished on: 2025-05-22 22:54:46
A potential supply chain attack on GitHub CodeQL started simply: a publicly exposed secret, valid for 1.022 seconds at a time. In that second, an attacker could take a series of steps that would allow them to execute code within a GitHub Actions workflow in most repositories using CodeQL, GitHub’s code analysis engine trusted by hundreds of thousands of repositories. The impact would reach both public GitHub (GitHub Cloud) and GitHub Enterprise. If backdooring GitHub Actions sounds familiar, t
Keywords: actions codeql github repository workflow
Find related items on AmazonPublished on: 2025-05-24 19:26:00
Andriy Onufriyenko/Getty Images Spending money is easy. Keeping track of how much money you spend, not so much. Even if you're good at recording all your expenses in a financial program like Quicken, QuickBooks, or Xero, understanding your expenses and turning all of that transaction data into actionable insights can be more difficult. Also by David Gewirtz: How to transform your obsolete Kindle into the ultimate open-source reader But, as it turns out, AI can help make that process much eas
Keywords: ai expenses prompt transactions vendors
Find related items on AmazonPublished on: 2025-05-26 19:57:59
is a reviews editor who manages how-tos and various projects. She’s worked as an editor and writer (and occasional sci-fi author) for more years than she cares to admit to. She can be found on Threads as @barbarask. As if things weren’t embarrassing enough for national security adviser Michael Waltz, what with inviting a journalist into a private policy group chat and all, Wired discovered that his Venmo account was wide open, revealing the names of “hundreds of Waltz’s personal and professiona
Keywords: friends private settings transactions venmo
Find related items on AmazonPublished on: 2025-05-30 13:17:05
Whose code am I running in GitHub Actions? A week ago, somebody added malicious code to the tj-actions/changed-files GitHub Action. If you used the compromised action, it would leak secrets to your build log. Those build logs are public for public repositories, so anybody could see your secrets. Scary! Mutable vs immutable references This attack was possible because it’s common practice to refer to tags in a GitHub Actions workflow, for example: jobs: changed_files: ... steps: - name: Get ch
Keywords: actions github ruby uses v4
Find related items on AmazonPublished on: 2025-05-30 07:44:25
The researchers found some intriguing differences between how men and women respond to using ChatGPT. After using the chatbot for four weeks, female study participants were slightly less likely to socialize with people than their male counterparts who did the same. Meanwhile, participants who interacted with ChatGPT’s voice mode in a gender that was not their own for their interactions reported significantly higher levels of loneliness and more emotional dependency on the chatbot at the end of t
Keywords: chatgpt interactions openai participants study
Find related items on AmazonPublished on: 2025-06-03 02:35:17
Researchers have determined that Coinbase was the primary target in a recent GitHub Actions cascading supply chain attack that compromised secrets in hundreds of repositories. According to new reports from Palo Alto Unit 42 and Wiz, the attack was carefully planned and began when malicious code was injected into reviewdog/action-setup@v1 GitHub Action. It is unclear how the breach occurred, but the threat actors modified the action to dump CI/CD secrets and authentication tokens into GitHub Act
Keywords: 42 action actions changed coinbase
Find related items on AmazonPublished on: 2025-06-03 21:44:25
The researchers found some intriguing differences between how men and women respond to using ChatGPT. After using the chatbot for four weeks, female study participants were slightly less likely to socialize with people than their male counterparts who did the same. Meanwhile, participants who set ChatGPT’s voice mode to a gender that was not their own for their interactions reported significantly higher levels of loneliness and more emotional dependency on the chatbot at the end of the experimen
Keywords: chatgpt emotional interactions participants says
Find related items on AmazonPublished on: 2025-06-07 06:13:39
Building and deploying a custom site using GitHub Actions and GitHub Pages I figured out a minimal pattern for building a completely custom website using GitHub Actions and deploying the result to GitHub Pages. First you need to enable GitHub Pages for the repository. Navigate to Settings -> Pages (or visit $repo/settings/pages ) and set the build source to "GitHub Actions". Here's my minimal YAML recipe - save this in a .github/workflows/publish.yml file: name : Publish site on : push : wor
Keywords: actions github minimal pages site
Find related items on AmazonPublished on: 2025-06-07 12:37:31
For the past two weeks, I’ve been spending most of my time rewriting our CI scripts in GitHub Actions. This is the third time we’ve had to redo our CI setup—first GitHub Actions, then Earthly (which we moved away from because it was discontinued), and now, reluctantly, back to GitHub Actions. Our CI is complex: merge queues, multiple runners (self-hosted, blacksmith.sh, GitHub-hosted), Rust builds, Docker images, and heavy integration tests. Every PR we merge burns through an hour of CI time, r
Keywords: actions build ci github invoke
Find related items on AmazonPublished on: 2025-06-10 14:03:50
A cascading supply chain attack that began with the compromise of the "reviewdog/action-setup@v1" GitHub Action is believed to have led to the recent breach of "tj-actions/changed-files" that leaked CI/CD secrets. Last week, a supply chain attack on the tj-actions/changed-files GitHub Action caused malicious code to write CI/CD secrets to the workflow logs for 23,000 repositories. If those logs had been public, then the attacker would have been able to steal the secrets. The tj-actions develop
Keywords: action actions reviewdog secrets tj
Find related items on AmazonPublished on: 2025-06-13 18:24:46
A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs. The GitHub Action is a very popular automation tool designed for GitHub Actions workflows. It allows developers to identify files changed in a pull request or commit and take actions based on those changes, generally used in testing, workflow triggering, and automated code linting and validation.
Keywords: action actions compromised github secrets
Find related items on AmazonPublished on: 2025-06-14 11:24:09
Open-source software used by more than 23,000 organizations, some of them in large enterprises, was compromised with credential-stealing code after attackers gained unauthorized access to a maintainer account, in the latest open-source supply-chain attack to roil the Internet. The corrupted package, tj-actions/changed-files, is part of tj-actions, a collection of files that's used by more than 23,000 organizations. Tj-actions is one of many Github Actions, a form of platform for streamlining so
Keywords: actions code open source tj
Find related items on AmazonPublished on: 2025-06-10 11:32:59
This article has been reviewed according to Science X's editorial process and policies . Editors have highlighted the following attributes while ensuring the content's credibility: Illustration representing Homo sapiens and the Neanderthal sharing technology and behavior. Credit: Efrat Bakshitz The first-ever published research on Tinshemet Cave reveals that Neanderthals and Homo sapiens in the mid-Middle Paleolithic Levant not only coexisted but actively interacted, sharing technology, lifest
Keywords: cave human interactions tinshemet zaidner
Find related items on AmazonPublished on: 2025-06-13 13:29:46
Introduction We are actively investigating a critical security incident involving the tj-actions/changed-files GitHub Action. While our investigation is ongoing, we want to alert users so they can take immediate corrective actions. We will keep this post updated as we learn more. StepSecurity Harden-Runner detected this issue through anomaly detection when an unexpected endpoint appeared in the network traffic. Based on our analysis, the incident started around 9:00 AM March 14th, 2025 Pacific
Keywords: action actions files github runner
Find related items on AmazonPublished on: 2025-06-14 06:43:02
Arguably, Semgrep is overkill for this case. But Lewis Ardern on our team wrote a Semgrep rule to find usages of tj-actions, which you can run locally (without sending code to the cloud) via: semgrep --config r/10Uz5qo/semgrep.tj-actions-compromised . And if we find more information about what tags & commits are affected, we can update the rule over time to become more precise about whether or not you could be impacted. At time of writing, it looks like all versions are compromised.
Keywords: actions compromised rule semgrep time
Find related items on AmazonPublished on: 2025-06-15 18:01:01
<<< First -10 << < Previous Next > +10 >> Last >>> Action 0 of 0 Playback ActionsBeta Record ActionsBeta
Keywords: 10 action actionsbeta playback previous
Find related items on AmazonPublished on: 2025-07-06 12:15:22
Today’s iOS 18.4 beta 2 offers the first major hints in Apple’s software of the upcoming big Siri upgrades. Apple has added a bunch of new Shortcuts app actions for Apple apps, with super fine-grained controls available for building shortcuts that change apps’ settings in various ways. iOS 18.4 Shortcuts actions provide glimpse into Siri powers coming soon Apple’s Shortcuts app hasn’t received as many noteworthy updates recently as it once did. But that appears set to change soon. Shortcuts’
Keywords: actions app ios new shortcuts
Find related items on AmazonPublished on: 2025-07-12 02:05:33
Nature is scary at all scales. Look no further than the winners of the Nature inFocus photography competition, whose winning photographs for 2024 were recently announced. Life of all sorts are constantly vying for another day on this Earth. Now, the Nature inFocus photography contest winners showcases the environs and interactions of a selection of Earth’s remarkable residents. From insect larvae and tiny seedlings to orca whales and sharks, the photos showcase life on scales small and large. T
Keywords: images interactions nature photography set
Find related items on AmazonPublished on: 2025-07-12 07:51:22
Twitch has rolled out a number of changes to its violation enforcement system. The biggest change is that now infractions will disappear from an account “after a set amount of time.” This is great news for long-time creators, as minor violations stacked. This led to folks getting suspended as these smaller infractions piled up. The platform says that most minor infractions, like cheating in an online game, will expire after 90 days. More serious violations, like participating in hateful conduct
Keywords: infractions suspension time twitch violations
Find related items on AmazonGo K’awiil is a project by nerdhub.co that curates technology news from a variety of trusted sources. We built this site because, although news aggregation is incredibly useful, many platforms are cluttered with intrusive ads and heavy JavaScript that can make mobile browsing a hassle. By hand-selecting our favorite tech news outlets, we’ve created a cleaner, more mobile-friendly experience.
Your privacy is important to us. Go K’awiil does not use analytics tools such as Facebook Pixel or Google Analytics. The only tracking occurs through affiliate links to amazon.com, which are tagged with our Amazon affiliate code, helping us earn a small commission.
We are not currently offering ad space. However, if you’re interested in advertising with us, please get in touch at [email protected] and we’ll be happy to review your submission.