A recent supply chain attack targeting the widely used tj-actions/changed-files tool has exposed thousands of organizations to security risks, highlighting the ongoing vulnerabilities within the open-source software (OSS) ecosystem. This attack has once again demonstrated the importance of rigorous security practices when integrating third-party dependencies.

The Attack: How It Happened

The tj-actions/changed-files tool, a GitHub Action used to automate software updates, was compromised when a threat actor gained access to the GitHub account of its maintainer. The attacker silently modified the code, injecting malicious instructions designed to steal sensitive information from the machines running the software.

This particular tool is part of a broader collection of GitHub Actions used by more than 23,000 organizations, ranging from startups to large enterprises. Due to its trusted status, many developers unknowingly executed the malicious code, allowing the attacker to collect critical credentials.

The Impact: A Major Security Breach

The compromised tool harvested sensitive credentials, including:

• AWS access keys
• GitHub Personal Access Tokens (PATs)
• npm tokens
• Private RSA keys

These credentials were stored in plaintext logs, making them easily accessible to malicious actors. Security researchers from Wiz identified dozens of affected repositories, many belonging to major enterprises. These leaked credentials could be exploited to gain unauthorized access to internal systems, leading to data breaches, service disruptions, and further cyberattacks.

GitHub’s Response and Recommendations

GitHub quickly responded to the incident, emphasizing that its platform was not compromised. The company took the following actions:

• Suspended the affected user account to prevent further damage.
• Removed the malicious content to mitigate the spread of the attack.
• Reinstated the account and restored content after confirming that all malicious changes were reversed and the source of compromise was secured.

Despite GitHub’s intervention, the attack serves as a stark reminder for developers and organizations to adopt strong security hygiene when using third-party dependencies.

Lessons Learned: Strengthening Open-Source Security

This attack underscores the necessity for organizations to be proactive in securing their software supply chains. Here are key takeaways to mitigate similar risks in the future:

1. Regularly Audit Dependencies – Always review and audit third-party tools before updating them, ensuring they have not been altered maliciously.
2. Monitor for Compromise – Set up automated monitoring for suspicious activity in repositories and logs.
3. Use Minimal Privileges – Limit access and permissions for credentials used in automation workflows.
4. Implement Multi-Factor Authentication (MFA) – Secure GitHub and other development accounts with MFA to prevent unauthorized access.
5. Stay Updated on Security Alerts – Subscribe to security advisories and act promptly when vulnerabilities are reported.

Summing It Up…

Since open-source software is basically in all today’s apps (90% of code is OSS), the risk of a supply chain attack is real. The tj-actions/changed-files compromise serves as a wake-up call for developers and enterprises alike. By implementing strict security measures and maintaining vigilance over third-party dependencies, organizations can reduce their exposure to such threats and safeguard their critical assets.

Fossity’s innovative open-source software audit method uncovers vulnerabilities not only in your developed OSS code but also in third-party dependencies and embedded snippets. Stay ahead of security risks—get in touch today!

Source: Security issue in open-source software leaves businesses concerned for systems