Supply chain attack on popular GitHub Action exposes CI/CD secrets

A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs. The GitHub Action is a very popular automation tool designed for GitHub Actions workflows. It allows developers to identify files changed in a pull request or commit and take actions based on those changes, generally used in testing, workflow triggering, and automated code linting and validation. As first reported by StepSecurity, attackers added a malicious commit to the tool on March 14, 2025, at 4:00 PM UTC, that dumped CI/CD secrets from the Runner Worker process to the repository of any projects using the action. As a result, if workflow logs were publicly accessible, anyone could read and steal exposed secrets. Attackers modified the action's code and retroactively updated multiple version tags to reference a malicious commit, so all versions of the tool were compromised. As per ... Read full article.