Abstract
What began as a routine CI/CD run quickly uncovered a disturbing reality: the popular tj-actions/changed-files GitHub Action, used by 23,000+ repositories including those from NVIDIA, Meta, Microsoft and other tech giants, had been weaponized to exfiltrate secrets. This presentation dissects how one of the most consequential supply chain attacks of 2025 unfolded and was ultimately contained.
On March 14, 2025, at 1:01 PM PT, we detected an anomalous outbound network connection to gist.githubusercontent.com from a pipeline run. This single alert led to the discovery that attackers had redirected all tags of the tj-actions/changed-files GitHub Action to point to a single malicious commit. The compromised action dumped CI/CD credentials from memory and exposed them directly in build logs – requiring no additional exfiltration channels.
We’ll demonstrate how the attackers leveraged a previous compromise of the reviewdog GitHub Action to gain access to tj-actions, showcasing an emerging pattern of “chained” supply chain attacks. We will share actionable logic and methodologies to detect future CI/CD supply chain attacks by flagging deviations from established patterns of normal network activity - techniques that succeeded where traditional signature-based security failed against this sophisticated breach.
The presentation examines the real-world challenges faced by affected organizations: from identifying instances of the compromised action across their codebases, hunting for exposed credentials in build logs, determining which secrets required rotation, and implementing alternatives after the original action was temporarily removed. Through a live demonstration, attendees will witness both the attack mechanics and how organizations navigated these complex recovery scenarios with limited tooling and information.
Security professionals and developers will leave with concrete strategies to identify and mitigate similar supply chain compromises in their own CI/CD environments, where traditional indicators of compromise are deliberately minimized and trusted tools are weaponized against their users.