Company
Date Published
Author
Micah Silverman
Word count
2139
Language
English
Hacker News points
None

Summary

The TJ Actions Changed Files GitHub Action compromise involved a serious security exploit that allowed an attacker with write privileges on the repository to cause encrypted secrets to appear in plaintext in the GitHub Action logs. The attack relied on making an external network call to pull down the malicious code, which was made possible by the use of an orphaned Git commit and manipulated release tags. The vulnerability affected about 23,000 GitHub repositories that used this Action as part of their CI and DevOps workflows. To avoid similar attacks in the future, developers are advised to reference commit hashes directly instead of relying on tags, and to consider using additional custom GitHub Actions to flag unexpected network calls.