Finding Unpinned and Unpinnable GitHub Actions
How to identify unpinned and unpinnable GitHub actions across your organisation
Harden-Runner detection: tj-actions/changed-files action is compromised - StepSecurity
stepsecurity.iotj-actions/changed-files
Career advice in 2025.
Yesterday, the tj-actions repository, a popular tool used with Github Actions was compromised (for more background read one of these two articles). Watching the infrastructure and security engineering teams at Carta respond, it highlighted to me just how much LLMs can’t meaningfully replace many essential roles of software professionals. However, I’m also reading Jennifer Palkha’s Recoding America, which makes an important point: decision-makers can remain irrational longer than you can remain solvent. (Or, in this context, remain employed.)
GitHub Actions Cache Poisoning is eating open source
Angular. tj-actions. Cline. TanStack. The same class of attack has been quietly hijacking publish pipelines for two years. Here's what it is, how it works, and what you need to do today.
GitHub Action supply chain attack: reviewdog/action-setup | Wiz Blog
A supply chain attack on tj-actions/changed-files leaked secrets. Wiz Research found another attack on reviewdog/actions-setup, possibly causing the compromise.
tj-actions with Endor Lab's Dimitri Stiliadis
Dimitri Stiliadis, CTO from Endor Labs, discusses the recent tj-actions/changed-files supply chain attack, where a compromised GitHub Action exposed CI/CD secrets. We explore the impressive multi-stage attack vector and the broader often-overlooked vulnerabilities in our CI/CD pipelines, emphasizing the need to treat these build systems with production-level security rigor instead of ignoring them. Episode Links Dimitri’s Linkedin Endor Labs Harden-Runner detection: tj-actions/changed-files action is compromised Unit 42 tj-actions analysis This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
GitHub - step-security/harden-runner: Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. It monitors network egress, file integrity, and process activity on those runners, detecting threats in real-time.
Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. It monitors network egress, file integrity, and process activity on those runners, detecting threats in re...
GitHub - step-security/changed-files: Github action to retrieve all (added, copied, modified, deleted, renamed, type changed, unmerged, unknown) files and directories. Secure drop-in replacement for tj-actions/changed-files.
Github action to retrieve all (added, copied, modified, deleted, renamed, type changed, unmerged, unknown) files and directories. Secure drop-in replacement for tj-actions/changed-files. - step-sec...
Career advice in 2025.
Yesterday, the tj-actions repository, a popular tool used with Github Actions was compromised (for more background read one of these two articles). Watching the infrastructure and security engineering teams at Carta respond, it highlighted to me just how much LLMs can’t meaningfully replace many essential roles of software professionals. However, I’m also reading Jennifer Palkha’s Recoding America, which makes an important point: decision-makers can remain irrational longer than you can remain solvent. (Or, in this context, remain employed.)
How to Safely Update Your Dependencies
With all the supply chain attacks happening lately (litellm being the most recent example) keeping dependencies up to date without risk has been on my mind. Below is everything I do to keep my personal projects secure, what we do at Fencer to keep our own codebase secure, and what we recommend to the startups we work with. Be hesitant about what you add The best way to reduce the risk of installing a compromised dependency is to avoid relying on it in the first place. Before adding a new dependency, I first make sure that implementing it ourselves would be too much work (or tokens!).
Building a more secure npm ecosystem with Mend Renovate · Jamie Tanna | Software Engineer
Discover how Mend Renovate 42 is strengthening npm ecosystem security with "minimum release age” enforcement and best-practice defaults.
Really keeping your GitHub Actions usage secure
Learn how to protect your GitHub Actions pipelines from supply chain attacks by forking actions, using internal marketplaces, and enabling Dependency Alerts.
Last Week in Security (LWiS) - 2025-03-17
Evilginx Pro (@mrgretzky), Pre-auth RCE in a CMS (@chudyPB), GOAD ADCS (@M4yFly), YouTube email disclosure (@brutecat), SAML parser bug (@ulldma.bsky.social/@ulldma@infosec.exchange), and more!
Continuous integration ≠ Continuous delivery
Discover why separating CI from CD using cloud platforms like AWS or Google Cloud enhances security and efficiency in your software delivery pipeline.
Supply Chain Security Risk: GitHub Action tj-actions/changed-files Compromised
CVE-2024-29029 allow malicious code injection in a popular GitHub Action potentially exposing secrets. Repos using affected versions are at risk
GitHub Action tj-actions/changed-files supply chain attack | Wiz Blog
A supply chain attack on GitHub Action tj-actions/changed-files caused many repositories to leak their secrets.
GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment (Updated 4/2)
A compromise of the GitHub action tj-actions/changed-files highlights how attackers could exploit vulnerabilities in third-party actions to compromise supply chains. A compromise of the GitHub action tj-actions/changed-files highlights how attackers could exploit vulnerabilities in third-party actions to compromise supply chains.
Detecting malicious pull requests at scale with LLMs | Datadog
Learn how Datadog’s SDLC Security team built an LLM-powered system to detect malicious pull requests at scale—without sacrificing developer velocity.