Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files
1 min read
Summary
On 14 March 2025, an organisation called reviewdog had one of its GitHub repositories hijacked.
The compromised repository held a software tool called an action, which is used in the deployment phase of a software build by a company called tj-actions.
As a result of the compromise, the tj-actions/changed-files action was polluted, allowing attackers to gain access to sensitive workflow secrets found in the code of more than 23,000 repositories.
It is theorised that the reviewdog repository was compromised via a leaked GitHub Personal Access Token (PAT).
To prevent similar events occurring, users are advised to implement supply chain attacks, use verified actions, adopt Pipeline-Based Access Controls, and to pin GitHub actions.
Affected parties should identify usage, review workflow logs, rotate secrets and investigate any malicious activity, while Palo Alto Networks customers could benefit from implementing out-of-the-box policies to protect against associated risks.
