Presentation Material
Abstract
What began as a routine CI/CD run quickly uncovered a disturbing reality: the popular tj-actions/changed-files GitHub Action, used by 23,000+ repositories including those from NVIDIA, Meta, Microsoft and other tech giants, had been weaponized to exfiltrate secrets. This presentation dissects how one of the most consequential supply chain attacks of 2025 unfolded and was ultimately contained.
On March 14, 2025, at 1:01 PM PT, we detected an anomalous outbound network connection to gist.githubusercontent.com from a pipeline run. This single alert led to the discovery that attackers had redirected all tags of the tj-actions/changed-files GitHub Action to point to a single malicious commit. The compromised action dumped CI/CD credentials from memory and exposed them directly in build logs – requiring no additional exfiltration channels.
We’ll demonstrate how the attackers leveraged a previous compromise of the reviewdog GitHub Action to gain access to tj-actions, showcasing an emerging pattern of “chained” supply chain attacks. We will share actionable logic and methodologies to detect future CI/CD supply chain attacks by flagging deviations from established patterns of normal network activity - techniques that succeeded where traditional signature-based security failed against this sophisticated breach.
The presentation examines the real-world challenges faced by affected organizations: from identifying instances of the compromised action across their codebases, hunting for exposed credentials in build logs, determining which secrets required rotation, and implementing alternatives after the original action was temporarily removed. Through a live demonstration, attendees will witness both the attack mechanics and how organizations navigated these complex recovery scenarios with limited tooling and information.
Security professionals and developers will leave with concrete strategies to identify and mitigate similar supply chain compromises in their own CI/CD environments, where traditional indicators of compromise are deliberately minimized and trusted tools are weaponized against their users.
AI Generated Summary
This talk details the analysis of a sophisticated supply chain attack targeting the widely used “TJ actions change files” GitHub Action. The core issue was the exploitation of mutable release tags, which an attacker redirected to a malicious “impostor commit” existing only in a forked repository. This commit contained code that dumped the memory of the runner.worker process—where CI/CD secrets are stored—and exfiltrated them via build logs using double Base64 encoding to bypass GitHub’s secret masking.
The attack was detected through baseline-driven monitoring of outbound network calls from the CI/CD runner, which flagged an anomalous connection to githubusercontent.com as the compromised action downloaded a memory-dumping script. The initial compromise stemmed from a separate, chained attack on the reviewdog/action-setup action, itself compromised via a stolen PAT from a maintainer whose token was leaked in another repository’s build logs.
The incident impacted over 23,000 public repositories, including major technology firms, and demonstrated a shift from theoretical to realized CI/CD supply chain attacks. Key recommendations include: pinning third-party actions to immutable commit SHAs instead of mutable tags; implementing an allow list for permitted actions; establishing security monitoring for CI/CD runners using tools like Falco or Tetragon to create behavioral baselines; and developing a specific incident response plan for compromised actions. The attack’s stealth—using trusted domains and leaving no trace in repository history—underscored the need for runtime security controls in CI/CD environments.