We are actively responding to a significant security breach involving the widely used GitHub Action, tj-actions/changed-files. Current findings indicate that nearly all tagged versions of tj-actions/changed-files have been compromised, resulting in direct access to running containers and virtual machines’ memory, allowing the extraction of sensitive secrets, information, and code. This is happening through the following command execution:
Immediate remediation is necessary for all repositories leveraging this Action.
Incident Summary
The GitHub Action tj-actions/changed-files, integrated across over 23,000 repositories, has been compromised through a malicious code injection. The malicious commit (0e58ed8671d6b60d0890c21b07f8835ace038e67) contains exploit code designed to print sensitive CI/CD secrets into publicly accessible GitHub Actions build logs.
This compromise was identified using an Upwind sensor combined with Upwind Shift Left’s behavioral monitoring, triggered by the detection of unusual endpoint interactions along with direct access to memory files.
The exploit involves executing a Python script fetched from an external gist, targeting GitHub Actions runner processes (Runner.Worker) to dump secrets directly from memory.
Technical Details
The compromised Action executes the following encoded malicious code on Linux runners:
This script specifically targets the Runner.Worker process memory space to extract sensitive secrets.
The external script involved (memdump.py) locates and reads the memory contents of the runner worker process.
Attackers Continue to Undermine the ‘Shift-Left’ Security Paradigm
In recent years, it became common to believe that securing code at the GitHub Actions and build process was sufficient, often overlooking the critical importance of runtime security in CI/CD runners.
We can see how eBPF sensors are uniquely positioned to detect such threats by capturing activities directly at the kernel level in real-time.
Runtime Without a Baseline Is Almost Worthless
Monitoring workloads with eBPF is meaningless without the ability to distinguish abnormal behavior.
In this case, a legitimate curl process ran on a build server—something that might not immediately raise an alarm for security teams. However, this was an abnormal, out-of-baseline curl execution that required immediate attention from the security team.
In this specific scenario, our eBPF sensors would have identified:
- Execution of unauthorized scripts.
- Suspicious memory access targeting sensitive processes (
Runner.Worker). - Abnormal
curlprocess execution - Anomalous outbound network traffic to out-of-organization GitHub destination
gist.githubusercontent.com.
Here’s the actual compromise that Upwind detected in runtime:
Conclusion & Immediate Recovery Steps
- Find all places where you might be using tj-actions: Search all repositories using GitHub search to locate compromised Actions.
- Stop Using the Action: Immediately discontinue use until the issue is fully resolved.
- Review Logs: Inspect recent logs for secret leaks, especially critical for public repositories.
- Upwind Topology Map: Our map allows you to view connections to
gist.githubusercontent.comto identify affected workflows. - Upwind Threats: Understand all impacted resources that have been compromised.
Next Steps
Continue following GitHub Issue #2463. We will continue to provide updates as our investigation evolves.
To proactively detect and mitigate similar supply chain attacks in the future, leverage Upwind eBPF sensors and Upwind Shift Left to integrate with your CI/CD and monitor runtime activity.
