Full Report
GitHub was forced to take action this weekend to help users after a threat actor compromised a popular open source package used by more than 23,000 organizations.
Analysis Summary
# Incident Report: Compromise of GitHub Action tj-actions/changed-files Leading to Secret Exposure
## Executive Summary
A threat actor compromised the popular open-source GitHub Action, `tj-actions/changed-files`, which is used by over 23,000 organizations. The compromise involved modifying the package code to cause CI/CD secrets—exposed in build logs—to be leaked when the action ran in public repositories. GitHub intervened by suspending the account and restoring the clean code, but not before numerous enterprises had their sensitive credentials stolen.
## Incident Details
- Discovery Date: Friday (Exact date not specified, inferred from StepSecurity warning)
- Incident Date: Occurred prior to Friday's disclosure.
- Affected Organization: tj-actions/changed-files maintainers; impacted users include "dozens of repositories operated by large enterprise organizations."
- Sector: Technology/Software Development (CI/CD Ecosystem)
- Geography: Global (Platform-wide impact across GitHub users)
## Timeline of Events
### Initial Access
- Date/Time: Unclear (Attack occurred before Friday's warning)
- Vector: Compromise of a maintainer bot account associated with `tj-actions/changed-files`.
- Details: Attackers are suspected to have stolen a GitHub Personal Access Token (PAT) belonging to a bot with write access to the repository.
### Lateral Movement
- Not explicitly detailed, but the malicious code was injected directly into the widely used package update stream, achieving widespread distribution upon update by downstream users.
### Data Exfiltration/Impact
- Date/Time: Ongoing until resolution/detection.
- Details: The malicious code exploited the action to intentionally write secrets visible in CI/CD build logs (specifically in public repositories). Leaked secrets included AWS access keys, GitHub PATs, npm tokens, and private RSA Keys.
### Detection & Response
- **Detection:** Cybersecurity firm StepSecurity publicly warned of the incident on Friday.
- **Response:**
1. GitHub suspended the user accounts associated with `tj-actions` and removed the malicious content out of an "abundance of caution."
2. Security firms (Wiz, Aqua Security, Endor Labs) analyzed the scope of the compromise.
3. By Saturday 10 PM, GitHub had confirmed malicious changes were reverted, restored the content to its original, clean state, and reinstated the account.
## Attack Methodology
- **Initial Access:** Theft of a GitHub Personal Access Token (PAT) for a bot account maintaining the repository.
- **Persistence:** Modifying the dependency code itself, leveraging distribution via the GitHub Action ecosystem.
- **Privilege Escalation:** Not applicable in the traditional sense; attackers leveraged existing write access granted to the compromised bot account.
- **Defense Evasion:** None explicitly mentioned, but the malicious payload was injected directly into a trusted, high-use third-party dependency.
- **Credential Access:** Indirect. The attack caused the *exposure* of credentials already present in CI/CD logs configured by users.
- **Discovery:** Not applicable in the traditional sense; the goal was immediate payload delivery.
- **Lateral Movement:** Supply chain distribution—moving from the compromised repository to all 23,000+ consuming organizations.
- **Collection:** Targeting clear-text secrets printed to publicly accessible CI/CD build logs.
- **Exfiltration:** Attackers retrieved the exposed secrets from public logs.
- **Impact:** Theft of sensitive credentials allowing access to cloud environments (AWS), code repositories (GitHub PATs), and package managers (npm).
## Impact Assessment
- **Financial:** Costs associated with remediation, secret rotation, and potential cloud service misuse are implied but not quantified.
- **Data Breach:** Comprehensive exposure of operational secrets including: AWS access keys, GitHub PATs, npm tokens, and private RSA Keys.
- **Operational:** Disruption to CI/CD pipelines of affected organizations who relied on the action.
- **Reputational:** Increased scrutiny on the security of the GitHub Actions ecosystem and third-party dependencies.
## Indicators of Compromise
- **Network indicators:** None provided (defanged).
- **File indicators:** Maliciously modified source code within the `tj-actions/changed-files` repository (now reverted).
- **Behavioral indicators:** Running any version of the `tj-actions/changed-files` action that was deployed between the compromise time and GitHub's intervention, particularly in public repository workflows.
## Response Actions
- **Containment:** GitHub suspended the compromised user accounts/repository maintainers and removed access points.
- **Eradication:** Malicious code changes were verified as reverted back to the last known good state by GitHub.
- **Recovery:** The user account and content were reinstated after verification. Downstream users must rotate all potentially leaked secrets.
## Lessons Learned
- Third-party dependencies, even widely used open-source tools like GitHub Actions, represent significant systemic vulnerabilities in the automation pipeline.
- Relying on third-party code requires continuous vigilance, as dependency updates can introduce immediate risk.
- The maintainers suggested that not all submissions to the action were verified, indicating a potential gap in the project's governance process.
## Recommendations
- Security professionals must immediately audit all repositories for usage of the compromised Action (`tj-actions/changed-files`) and replace or remove it.
- Perform immediate and comprehensive rotation of all secrets known to have been present in CI/CD environments, including AWS keys, GitHub PATs, npm tokens, and RSA keys.
- Implement stronger governance over dependency management, potentially requiring strict signature verification or more rigorous manual review before incorporating new versions of external code components.