Risks to CI/CD Secrets in Over 23,000 Repositories and Implications for Software Supply Chain Security
Blog post from SSOJet
The compromise of the tj-actions/changed-files GitHub Action, impacting over 23,000 repositories, underscores critical vulnerabilities within software supply chains, especially in CI/CD workflows. Attackers altered the action's code and updated version tags to point to malicious commits, leading to the exposure of sensitive CI/CD secrets such as AWS access keys and GitHub Personal Access Tokens. The incident, detected on March 14, 2025, prompted GitHub to remove the compromised action from the marketplace, and it was later restored to a secure state. Organizations affected by this breach are urged to audit their workflows, rotate exposed credentials, and monitor pipelines for suspicious activity. Mitigation strategies include pinning dependencies, implementing runtime monitoring, restricting permissions, and conducting regular security audits to prevent future attacks. For further guidance, organizations are advised to explore resources and services such as those offered by SSOJet for enhancing security measures and managing user authentication securely.
| Trend | Post Mentions | Total Month Mentions | Posts | Companies | MoM |
|---|---|---|---|---|---|
| Secrets Management | 6 | 1,233 | 139 | 73 | +105% |
| Real-time | 1 | 4,629 | 997 | 226 | +44% |