Blog
|
ATTACK
Featured

GitHub Actions Supply Chain Attack: What Arnica Customers Need to Know

By
Eran Medan
March 17, 2025
7 mins
Share this post
A broken chain lying in a field of arnica flowers

A recent supply chain attack involving the popular GitHub Action tj-actions/changed-files has made an impact on the developer and security communities. This widely used action, which detects file changes in pull requests, was compromised and used to exfiltrate credentials from GitHub Actions logs.

The malicious commit has since been removed by GitHub, but the incident highlights the growing risks of supply chain attacks in the software development ecosystem.

What Happened?

On March 14, 2025, security researchers detected suspicious activity in tj-actions/changed-files, revealing that malicious code had been introduced into the repository. This injected code was designed to steal secrets and credentials from GitHub Actions workflows, potentially compromising thousands of projects.

Were you impacted?

Public repositories are more vulnerable to the tj-actions supply chain attack because compromised versions of the action could have exposed sensitive credentials through public logs, making them easily accessible to attackers. Private repositories are at a slightly lower risk, as their GitHub Actions logs are not publicly visible, but any repository that used the affected action should still treat its credentials as potentially compromised.  

Follow these steps to determine if your organization was affected by the tj-actions supply chain attack.

  • Arnica Customers are Covered – If you’re an Arnica customer, there is a finding in your code risks page with the title Using a compromised tj actions on GitHub. Simply filter to SAST and then search for this term.
  • Search for tj-actions in Your Codebase – Search your repositories for tj-actions/changed-files
  • Or Run this Search Query – run the following search query (replace <YOURORG> with your organization's GitHub name): https://github.com/search?q=org%3A<YOURORG>+uses%3A+tj-actions%2F&type=code This will reveal repositories that have used the compromised GitHub Action.
  • Review Past Workflow Runs – Even if the malicious commit has been removed, review past GitHub Actions logs during the time of compromise to check for any signs of credentials exfiltration or unexpected behavior

How Arnica Responded Immediately

At Arnica, we are constantly monitoring emerging threats and securing our customers' code. As soon as the GitHub Actions compromise was identified, we took immediate action to protect our customers:

  • Custom security rules deployed: We released a custom rule to flag any instances of the compromised action across customer environments.
  • Ongoing monitoring & updates: Our security team continues to track GitHub repositories for any further anomalies or regressions related to this issue.

What Should You Do?

While the malicious commit has been removed by GitHub, we strongly recommend the following actions:  

  • Audit your past workflow runs: If your CI/CD pipelines used tj-actions/changed-files, review any runs between the time of compromise and the fix to check for potential exposure.
  • Pin GitHub Actions to specific hash: Instead of referencing an action’s latest version, pin it to a specific SHA hash to prevent unexpected updates. We created an Opengrep rule for you to get an inventory of all GitHub Actions used from untrusted sources without pinning to a specific hash. GitHub is working on an experimental feature that enforces immutable tags. However, until it is widely adopted, pinning to a specific hash is the recommended approach to prevent such software supply chain attacks.
  • Restrict GitHub Actions to your organization: Review which GitHub Actions are necessary for the organization and allow only specific actions to run.  
  • Limit access to secrets: Ensure thatGitHub Actions workflows only expose the minimum required credentials to prevent widespread leaks.
  • Monitor for unusual behavior: Utilize Arnica’s real-time security policies to detect and block suspicious activity before it leads to compromise.

Stay Safe with Arnica

This attack serves as a reminder that supply chain security is critical. At Arnica, we ensure that your code is continuously monitored, and we deploy immediate protections to keep your organization safe. By staying ahead of threats and integrating proactive security measures, we help our customers stay secure, compliant, and resilient against evolving software supply chain risks.

Share this post

Recommended posts

three cards with Arnica flowers on them with card headers of low reputation, high reputation, and malicious
ATTACK
Featured

How Arnica's Low-Reputation Package Detection Could Have Stopped the XML-RPC npm Breach

December 2, 2024
News paper showing an attack headline
ATTACK
Featured

New York Times Data Breach Reveals Secrets & Source Code

July 10, 2024
A mocked up rabbit.ai device showing a message of 'can I tell you a secret'
ATTACK
Featured

Rabbit r1 Data Breach Again Shows The Dire Need for Improved Secrets Security

June 28, 2024
View all

Reduce Risk and Accelerate Velocity

Integrate Arnica ChatOps with your development workflow to eliminate risks before they ever reach production.  

Try Arnica