A recent supply chain attack has compromised over 23,000 GitHub repositories through the popular GitHub Action, 'tj-actions/changed-files'. This Action, widely used to track file and directory changes in continuous integration and continuous delivery (CI/CD) workflows, was maliciously modified to expose sensitive information.

On March 14, 2025, security researchers from StepSecurity identified a malicious commit in the 'tj-actions/changed-files' repository. Attackers altered the code to execute a Python script that dumped CI/CD secrets into build logs. If these logs were publicly accessible, unauthorized individuals could retrieve exposed secrets. While there is no current evidence of these secrets being exfiltrated, the potential risk remains significant.

The compromised Action affected numerous CI pipelines, leading to concerns about the integrity of downstream open-source libraries and containers. Security experts have warned that this breach could serve as a gateway for further supply chain attacks, potentially impacting thousands of open-source packages.

In response, GitHub promptly removed the malicious Action. Developers using 'tj-actions/changed-files' are strongly advised to discontinue its use immediately and seek alternative implementations. Additionally, it's recommended to review recent CI/CD logs for any unauthorized access and rotate exposed secrets to mitigate potential threats.

This incident underscores the critical need for heightened vigilance in software supply chains and the importance of real-time CI/CD security monitoring to detect and prevent such compromises.