Full Report
A supply chain attack on tj-actions/changed-files caused many repositories to leak their secrets over the weekend. Wiz Research has discovered an additional supply chain attack on reviewdog/actions-setup@v1, that may have contributed to the compromise of tj-actions/changed-files.
Analysis Summary
# Incident Report: Chained Supply Chain Attack Targeting GitHub Actions Leading to CI Secret Leakage
## Executive Summary
A sophisticated, chained supply chain attack was discovered impacting the GitHub Action ecosystem, specifically targeting `reviewdog/action-setup@v1` and subsequently being linked to the compromise of `tj-actions/changed-files`. The attack vector involved injecting malicious, base64-encoded code via a compromised Action tag, causing CI runners to dump workflow secrets directly into public repository logs. The primary impact was the inadvertent exposure of secrets in logs, necessitating immediate secret rotation and hardening of third-party Action usage across organizations.
## Incident Details
- Discovery Date: Sometime after March 17, 2025 (Wiz Research identified the `reviewdog/action-setup` vector leading up to the well-known `tj-actions` incident).
- Incident Date: The compromise of `reviewdog/action-setup@v1` occurred around **March 11, 2025**, between 18:42 and 20:31 UTC.
- Affected Organization: Various organizations utilizing the targeted GitHub Actions (`tj-actions/changed-files`, `reviewdog/action-setup`, and downstream actions).
- Sector: Technology/Software Development (DevOps/CI/CD).
- Geography: Global (Due to the nature of GitHub Actions usage).
## Timeline of Events
### Initial Access
- Date/Time: March 11, 2025 (18:42 - 20:31 UTC)
- Vector: Supply Chain Compromise via Malicious Tag Commit.
- Details: An attacker gained sufficient access (likely via a compromised contributor account or PAT) to update the `v1` tag of the `reviewdog/action-setup` repository to point to a malicious commit containing a base64-encoded payload inserted into `install.sh`.
### Lateral Movement
- The initial compromise vector, `reviewdog/action-setup@v1`, was then used by other reviewdog actions (e.g., `action-shellcheck`, `action-staticcheck`).
- Crucially, it is *believed* this compromise led to the compromise of the `tj-actions-bot PAT`, which was then used to inject a different malicious payload into `tj-actions/changed-files`.
### Data Exfiltration/Impact
- The malicious payload executed within CI runners, leading to the dumping of CI runner memory containing workflow secrets.
- These secrets were subsequently visible to the public in the affected repositories' workflow logs, though they were double-encoded/obfuscated. No external exfiltration to attacker-controlled servers was observed at the time of reporting.
### Detection & Response
- Detection: Wiz Research identified the likely precursor attack (`reviewdog/action-setup`) following earlier reports on `tj-actions/changed-files`.
- Response actions taken: Wiz disclosed the findings to reviewdog and GitHub. Organizations were advised to search for usages of the affected actions, implement strict pinning, and rotate leaked secrets immediately.
## Attack Methodology
- Initial Access: Gaining write access to the `reviewdog/action-setup` repository (specifically the v1 tag pointer) likely through a compromised contributor's credentials or PAT.
- Persistence: Not explicitly detailed, but initial persistence relied on the maintained malicious tag reference.
- Privilege Escalation: Not explicitly detailed, though the direct root cause identified for the *subsequent* tj-actions incident was a compromised PAT.
- Defense Evasion: The payload was base64 encoded and inserted directly into an execution script (`install.sh`), differing from the HTTP retrieval method seen in the tj-actions incident.
- Credential Access: The attack did not actively *exfiltrate* credentials via network C2 but caused them to be **exposed** directly in logs accessible by the public.
- Discovery: N/A (Attacker leveraged trusted third-party actions).
- Lateral Movement: The compromised Action served as the means to propagate the malicious code upon execution across dependent runners.
- Collection: CI runner memory containing workflow secrets was dumped.
- Exfiltration: Public log exposure (Secrets dumped into public repository logs).
- Impact: Leakage of sensitive organizational secrets (PATs, API keys, etc.) used within CI/CD pipelines.
## Impact Assessment
- Financial: Not quantified, but likely includes costs associated with incident response, security audits, and credit/mandated notification requirements depending on data types exposed.
- Data Breach: Sensitive organizational secrets and credentials stored as GitHub Secrets within the CI/CD workflows.
- Operational: Required immediate remediation (secret rotation, removal of dependencies) for all dependent repositories to stop ongoing risk.
- Reputational: Significant risk due to public exposure of CI secrets in organizational workflow logs.
## Indicators of Compromise
- Network indicators: None explicitly listed as exfiltration did not appear to occur via C2 channel.
- File indicators: Malicious commit on `reviewdog/action-setup` repository pointing v1 tag to commit hash `f0d342` (Defanged: **Reviewdog/action-setup@v1 pointing to specific malicious commit hash**).
- Behavioral indicators: CI workflows executing steps that dump runner memory contents or show unexpectedly base64-encoded command execution within setup scripts.
## Response Actions
- Containment Measures: Organizations were advised to immediately remove all references to the affected GitHub Actions across all branches of their repositories.
- Eradication Steps: Immediate rotation of any and all secrets utilized within the compromised workflows.
- Recovery Actions: Deleting affected workflow runs (after downloading logs for evidence) and reverting dependencies to pinned hash references.
## Lessons Learned
- Key Takeaways: Supply chain attacks remain a high-risk vector, especially when utilizing widely adopted third-party CI/CD components. The compromise of one Action can cascade to others that depend on it (chaining effect).
- What could have been done better: The contributor base and automated contributor invitations may have increased the attack surface for the reviewdog organization.
## Recommendations
- Prevention Measures for Similar Incidents:
1. **Pin Dependencies to Hashes:** Pin all GitHub Actions usage (including transitive dependencies) to specific commit hashes instead of version tags (requires ongoing maintenance).
2. **Restrict Usage:** Use GitHub’s allow-listing feature to block unauthorized third-party Actions from running.
3. **Audit Logs:** Continuously monitor GitHub audit logs for suspicious activity, especially unusual bot uses or credential abuse post-compromise.
4. **Log Management:** Be aware that secrets can temporarily reside in public logs; review logs covering the exposure window *before* deletion.