GitHub Action compromise affects over 23,000 repositories

A supply chain attack has affected the tj-actions/changed-files GitHub Action, impacting over 23,000 repositories.

The tj-actions/changed-files is utilised within software development pipelines to detect file changes in a repository. Following a code commit or review, the Action helps determine file status changes, facilitating further build and deployment tasks. However, a malicious commit has now altered its operation.

Dimitri Stiliadis, Chief Technology Officer and co-founder of Endor Labs, explained, 'A malicious commit was discovered in the popular tj-actions/changed-files GitHub Action, which is used in over 23,000 repositories."

The attackers retroactively updated multiple version tags of the GitHub Action to refer to the compromised commit. These updates allow a malicious Python script embedded within the Action to extract CI/CD secrets whenever the Action is executed, affecting numerous CI pipelines.

"The attackers modified the action's code and retroactively updated multiple version tags to reference the malicious commit. The compromised Action now executes a malicious Python script that dumps CI/CD secrets, impacting thousands of CI pipelines," Stiliadis said, elaborating on the technical scope of the attack.

This CVE has affected all public repositories on GitHub with enabled Actions, necessitating immediate reconfiguration for users depending on the compromised resource. While the breach is not anticipated to cause customer outages, it may impede organisational changes.

Stiliadis noted, "For organisations that build software, they will likely need to reconfigure their pipelines if they are using the compromised Action." He added that the assault's intent was likely to compromise the software supply chain rather than access secrets in already public repositories.

While no evidence suggests that downstream open-source libraries or containers have been impacted at this stage, vigilance remains crucial. Stiliadis urged the open-source community to continue monitoring for any further potential compromises.

Stiliadis stated, "We urge open source maintainers and the security community to join us in keeping a close eye out for potential secondary compromises." He also highlighted that private repositories using the Action should review their systems.

Following the discovery, GitHub has removed the Action, compelling users to seek other implementations. Ongoing use without action could lead to crashes, particularly if cached versions remain in use.

Organisations using GitHub Actions should promptly assess their exposure to ascertain and mitigate the impact. This assessment involves searching workflows for tj-actions inclusion, completely removing the Action from all branches, and auditing past workflows for any signs of network compromise.

Stiliadis advised, "Disable and rotate any secrets that were stored alongside your repos," underlining the necessity of updated security practices.

Stiliadis highlighted the broader implications for those relying on open-source dependencies. "The focus now has to be on what's next. How long will it take the thousands of open source GitHub repos affected to take the proper security measures and revoke/change secrets?" he queried, emphasising the urgency of addressing the attack's potential fallout.