Backdoored `tj-actions/changed-files` GitHub Action Leaked CI Secrets from Workflow Logs
The widely used GitHub Action tj-actions/changed-files was compromised after an attacker gained write access to the repository and retargeted release tags to a malicious orphaned commit, causing workflows pinned to tags rather than immutable SHAs to run attacker-controlled code. The backdoor downloaded and executed a remote payload that scraped decrypted GitHub Actions secrets from process memory and printed them into workflow logs, exposing repositories that executed the action and creating acute risk for public projects where logs were openly accessible. The incident was detected after anomalous outbound network activity was observed, and the maintainer removed the malicious changes soon afterward.
Follow-on analysis found the blast radius was substantial because the action was referenced across roughly 23,000 repositories and many workflows were not pinned to a full commit hash. GitGuardian reported that among workflows executed during the compromise window, hundreds showed signs of exploitation and 603 secrets were exposed in logs, including temporary GitHub tokens, DockerHub credentials, AWS keys, GitHub personal access tokens, Jira tokens, and cloud.gov credentials. Organizations using the action were urged to review workflow runs from March 14 onward, delete affected logs, rotate any exposed credentials, audit dependencies and commits, and pin third-party GitHub Actions to full commit SHAs to reduce future supply-chain risk.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Coinbase identified as original target of GitHub Action compromise
By 2025-03-21, reporting indicated that Coinbase was the intended initial target of the tj-actions/changed-files supply-chain attack. This added a new victim-targeting detail to the incident beyond the previously documented broad downstream exposure across GitHub repositories.
GitGuardian quantifies exposed workflows and leaked secrets
On 2025-03-18, GitGuardian reported that among 1,104 workflows run during the attack window, 276 showed signs of exploitation and 603 secrets were exposed across affected repositories. The exposed data included temporary GitHub tokens, DockerHub credentials, AWS keys, GitHub personal access tokens, Jira tokens, and cloud.gov credentials.
Maintainer removes malicious changes and advises users to review logs
After the compromise was discovered, the maintainer rapidly removed the malicious changes from tj-actions/changed-files. Affected users were advised to inspect GitHub Actions logs from March 14 onward for leaked secrets and rotate exposed credentials.
StepSecurity detects anomalous network activity from the compromised action
The attack was reportedly identified quickly on 2025-03-14 after the malicious payload made an unusual outbound network call that drew attention from StepSecurity. This detection helped surface the compromise soon after it began.
Malicious payload leaks GitHub Actions secrets into workflow logs
During the compromise window, the backdoored action downloaded and ran a remote script that extracted decrypted secrets from runner memory and printed them into workflow logs. Public repositories were at particular risk because their logs could be publicly accessible.
tj-actions/changed-files supply-chain compromise begins
On 2025-03-14, an attacker with write access to the tj-actions/changed-files repository moved existing release tags to a malicious orphaned commit. Workflows pinned to tags then executed attacker-controlled code, affecting a GitHub Action used by roughly 23,000 repositories.
Researchers trace attack chain to stolen SpotBugs token in late 2024
Unit 42 reported that the tj-actions/changed-files supply-chain attack began earlier than first believed, with attackers stealing a SpotBugs maintainer's personal access token in late 2024 via an exposed GitHub Actions workflow. The attackers allegedly used that access to move through SpotBugs and reviewdog before tampering with dependencies that ultimately led to the March 2025 compromise of tj-actions/changed-files.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
GitHub Actions Automation Exploitation Supply Chain Risks Uncovered
linuxsecurity.com
Open sourceSecurity Incident Report: xygeni-action GitHub Action Compromise | Xygeni
xygeni.io
Open sourceStolen SpotBugs tokens sparked the massive GitHub attack
theregister.com
Open sourceCoinbase originally targeted during GitHub Action supply chain attack | Cybersecurity Dive
cybersecuritydive.com
Open sourceGitHub Actions supply chain attack spotlights CI/CD risks | TechTarget
techtarget.com
Open sourceGitHub Action tj-actions/changed-files supply chain attack | Wiz Blog
wiz.io
Open sourceTj-actions/changed-files GitHub Action Compromised - used by over 23K repos | Hacker News
news.ycombinator.com
Open sourceSupply chain attack abuses GitHub features to spread malware | TechTarget
techtarget.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Compromised GitHub Actions tags exfiltrated CI/CD secrets from runners
Threat actors compromised the popular GitHub Actions repositories `actions-cool/issues-helper` and `actions-cool/maintain-one-comment` by moving version tags to imposter commits outside the normal commit history, causing workflows that referenced those tags to fetch and run malicious code. Researchers said the payload downloaded the **Bun** JavaScript runtime, read memory from the GitHub Actions `Runner.Worker` process to recover decrypted secrets, and exfiltrated the data over HTTPS to the attacker-controlled domain `t.m-kosche[.]com`; workflows pinned to a known-good full commit SHA were not affected. GitHub later disabled access to the repository for a terms-of-service violation, while StepSecurity added the action to its Compromised Actions Policy and blocked the exfiltration domain through Harden-Runner. The incident highlights a broader GitHub Actions supply-chain risk in which CI/CD trust can be subverted through mutable references and weak integrity controls. Separate research showed that a modified Maven wrapper in a pull request could achieve code execution on GitHub-hosted runners and, if merged, later expose release secrets such as Maven publishing credentials and GPG material, underscoring the need for checksum validation on wrapper scripts and immutable pinning to trusted commit SHAs for third-party actions. StepSecurity also linked the same exfiltration infrastructure to the recent **Mini Shai-Hulud** activity targeting npm packages in the `@antv` ecosystem, suggesting the GitHub Actions compromise may be part of a wider supply-chain campaign.
May 19, 2026
AI-Assisted GitHub Actions Campaign Exploited `pull_request_target` to Steal Secrets
Researchers reported that the `prt-scan` campaign abused misconfigured GitHub Actions workflows using the `pull_request_target` trigger to run attacker-controlled code from forked pull requests in privileged CI contexts. The actor used at least six GitHub accounts to submit more than 500 malicious pull requests across six waves, disguising many as routine CI updates and tailoring payloads to Python, Node.js, Go, Rust, and GitHub Actions repositories. Wiz said the operation evolved from simple bash payloads into AI-assisted, repository-aware implants designed to steal `GITHUB_TOKEN` values, enumerate secrets, probe cloud metadata services, and exfiltrate credentials through workflow logs and pull request comments. The campaign succeeded often enough to cause real supply-chain impact despite an estimated success rate below 10%. Wiz confirmed compromise of the npm packages **`@codfish/eslint-config`** and **`@codfish/actions`** across 106 versions, and verified theft of AWS keys, Cloudflare API tokens, and Netlify authentication tokens. High-profile projects including Sentry, OpenSearch, IPFS, NixOS, Jina AI, and recharts reportedly blocked the attempts through contributor approval gates and workflow restrictions. The activity follows earlier warnings from Sysdig that insecure use of `pull_request_target` in prominent repositories such as MITRE, Splunk, and Spotipy could expose secrets and high-privilege `GITHUB_TOKEN` permissions, underscoring that unsafe GitHub Actions defaults remain an active software supply-chain risk.
Jun 8, 2026
GitHub Actions flaws exposed repositories to token leaks and privileged workflow compromise
Researchers and maintainers disclosed multiple GitHub Actions security issues that could let attackers steal credentials or gain code execution in CI/CD pipelines. Sansec and Packagist warned that older Composer releases could print raw `GITHUB_TOKEN` values into GitHub Actions logs after rejecting GitHub’s newer hyphenated token format, creating a supply-chain risk for PHP projects, especially public repositories and older repositories where the default token still had write access. Composer issued fixes in versions `2.9.8`, `2.2.28`, and `1.10.28`, while GitHub rolled back the token format rollout to reduce immediate exposure. Separate disclosures showed how workflow design and cache handling can turn limited CI access into broader repository compromise. A newly assigned `CVE-2026-42603` affects OWASP BLT before `2.1.2`, where a privileged `pull_request_target` workflow checked out and executed code from an attacker-controlled fork, enabling remote code execution with repository write permissions. Earlier research on GitHub Actions cache poisoning described "Actions Cache Blasting," a technique that abuses client-controlled cache keys, cache eviction, and lingering runtime tokens to replace cached artifacts used by more privileged workflows, potentially leading to secret disclosure, release-signing compromise, and tampered build outputs without visible changes in source code or workflow logs.
May 14, 2026