On March 14, 2025, a critical supply chain attack targeted the popular GitHub Action tj-actions/changed-files, which is used by over 23,000 repositories, leading to the exposure of CI/CD pipeline secrets in logs. The attackers exploited a compromised GitHub personal access token to inject malicious code into the repository, which resulted in sensitive credentials being printed in public logs, putting public repositories at high risk. The incident, identified by StepSecurity’s Harden-Runner tool, prompted an immediate response from GitHub, including the temporary removal and restoration of the affected repository. The attack underscored the vulnerabilities in GitHub Actions security and highlighted the need for robust security measures such as pinning actions to commit hashes and using read-only secrets in workflows. Organizations were advised to audit logs, rotate secrets, and restrict permissions to mitigate potential risks. Coralogix's team found no compromise in their customer environments but recommended that customers perform their own validations to ensure security.