Tj-actions/changed-files GitHub Action Compromised – used by over 23K repos

Introduction We are actively investigating a critical security incident involving the tj-actions/changed-files GitHub Action. While our investigation is ongoing, we want to alert users so they can take immediate corrective actions. We will keep this post updated as we learn more. StepSecurity Harden-Runner detected this issue through anomaly detection when an unexpected endpoint appeared in the network traffic. Based on our analysis, the incident started around 9:00 AM March 14th, 2025 Pacific Time (PT) / 4:00 PM March 14th, 2025 UTC. If you need any help investigating this issue, please contact us at [email protected] Update 1: Most versions of tj-actions/changed-files are compromised. Update 2: We have detected multiple public repositories have leaked secrets in build logs. As these build logs are public, anyone can steal these secrets. If you maintain any public repositories that use this Action, please review the recovery steps immediately. Update 3: GitHub has removed th ... Read full article.