On 3/15/25 14:03, Mark Esler wrote:
On March 14 2025 at 16:57:45 UTC the tj-action/changed-files GitHub action was compromised with commit 0e58ed8 ("chore(deps): lock file maintenance (#2460)"). This commit was added to all 361 tagged versions of the GitHub action. This malicious commit results in a script that can leak CI/CD secrets from runner memory.[...]
How the attacker got the commit into the tj-action/changed-files namespace seems obvious (GitHub uses a common storage pool for a repository and its forks; an attacker need only fork a repository and push the malicious commit to his own fork), but has there been any progress on determining how the tags were repointed?
I hope the explanation is stolen credentials, but possibilities include exploits on maintenance bots or even GitHub itself.
-- Jacob
