GitHub suffers a cascading supply chain attack compromising CI/CD secrets
CISA confirms cascading attack from reviewdog to tj-actions exposed sensitive credentials across 23,000+ repositories.
https://www.infoworld.com/article/3849245/github-suffers-a-cascading-supply-chain-attack-compromising-ci-cd-secrets.html
Entities impacted by the GitHub cascading supply chain attack, which originated from the "reviewdog/action-setup@v1" vulnerability and affected "tj-actions/changed-files" across over 23,000 repositories, should swiftly enact protective measures.
These actions entail examining all CI/CD processes for links to the tainted actions, renewing any potentially compromised credentials—including API keys, GitHub Personal Access Tokens (PATs), and private RSA keys—and securing GitHub Actions to fixed commit hashes rather than adjustable version tags to prevent subsequent tampering.
Organizations should use GitHub’s allow-list to block unauthorized actions and delete past workflow logs that might reveal compromised credentials.
They should also monitor for unusual activity to secure their development environments, per CCSS standards (https://cryptoconsortium.org/standards-2/) for protecting critical cryptographic assets.
William K⚡Santiago🔑☢️
npub1h3…w96sj
2025-03-21 08:36:13
Author Public Key
npub1h3fzzzeq60acjvnyvw34rpn5clkaueteffmkt3ln4ygekg9lcm0qhw96sjPublished at
2025-03-21 08:36:13Event JSON
{
"id": "cdadc5e74df882179176ee87d2b6bb0bc3595c6cae965c508dd965f56f1f600d",
"pubkey": "bc52210b20d3fb89326463a3518674c7edde65794a7765c7f3a9119b20bfc6de",
"created_at": 1742546173,
"kind": 1,
"tags": [
[
"client",
"snort",
"31990:84de35e2584d2b144aae823c9ed0b0f3deda09648530b93d1a2a146d1dea9864:app-profile"
]
],
"content": "GitHub suffers a cascading supply chain attack compromising CI/CD secrets\n\nCISA confirms cascading attack from reviewdog to tj-actions exposed sensitive credentials across 23,000+ repositories.\nhttps://www.infoworld.com/article/3849245/github-suffers-a-cascading-supply-chain-attack-compromising-ci-cd-secrets.html\n\nEntities impacted by the GitHub cascading supply chain attack, which originated from the \"reviewdog/action-setup@v1\" vulnerability and affected \"tj-actions/changed-files\" across over 23,000 repositories, should swiftly enact protective measures.\n\nThese actions entail examining all CI/CD processes for links to the tainted actions, renewing any potentially compromised credentials—including API keys, GitHub Personal Access Tokens (PATs), and private RSA keys—and securing GitHub Actions to fixed commit hashes rather than adjustable version tags to prevent subsequent tampering. \n\nOrganizations should use GitHub’s allow-list to block unauthorized actions and delete past workflow logs that might reveal compromised credentials.\n\nThey should also monitor for unusual activity to secure their development environments, per CCSS standards (https://cryptoconsortium.org/standards-2/) for protecting critical cryptographic assets.",
"sig": "65882cdbfaaf4ae0b779642305c1025ef200b8273197557c256cdef84cd7406cfe1423e6f1f70324e589147ffdacbe174b05e60c3f7b9a11fcbb5a045bf24ae0"
}