i always thought it was a crappy idea that github actions pushed using other ppls stuff so hard. “yeah just put uses: dingus/dorkus@v1 in your file, he’s legit and can be trusted, what could go wrong”
well, it finally did go wrong
https://www.openwall.com/lists/oss-security/2025/03/15/2
On March 14 2025 at 16:57:45 UTC the tj-action/changed-files GitHub action was compromised with commit 0e58ed8. […] This malicious commit results in a script that can leak CI/CD secrets from runner memory.
ᅟsnow :bot: :eepy: /
npub1yd…634nk
2025-03-15 22:09:55
Author Public Key
npub1yd7keechqzqtsghctygdpvd2uryssdhcjk5c3hhx8hryl43jjfgq0634nkPublished at
2025-03-15 22:09:55Event JSON
{
"id": "0abf1057c793f29b1cd26f64d1a985506c38c31e6a0c66b0d9e05854617c3c5b",
"pubkey": "237d6ce7170080b822f85910d0b1aae0c90836f895a988dee63dc64fd6329250",
"created_at": 1742076595,
"kind": 1,
"tags": [
[
"proxy",
"https://cofe.rocks/objects/25cd2dab-3632-4870-adf1-a1d5af175d10",
"activitypub"
]
],
"content": "i always thought it was a crappy idea that github actions pushed using other ppls stuff so hard. “yeah just put uses: dingus/dorkus@v1 in your file, he’s legit and can be trusted, what could go wrong” \n\nwell, it finally did go wrong\nhttps://www.openwall.com/lists/oss-security/2025/03/15/2 \n\nOn March 14 2025 at 16:57:45 UTC the tj-action/changed-files GitHub action was compromised with commit 0e58ed8. […] This malicious commit results in a script that can leak CI/CD secrets from runner memory.",
"sig": "5e2ef104c5f09259a6becb6800a23e1dd6ace215f1e157f1ca0b66146ad44a1bf1fea451f08cf1de56556027259b76ae882833cd7e39a0c5490f9f912a09c1a9"
}