GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment (Updated 4/2)

A supply chain attack on tj-actions/changed-files leaked secrets. Wiz Research found another attack on reviewdog/actions-setup, possibly causing the compromise.

Dimitri Stiliadis, CTO from Endor Labs, discusses the recent tj-actions/changed-files supply chain attack, where a compromised GitHub Action exposed CI/CD secrets. We explore the impressive multi-stage attack vector and the broader often-overlooked vulnerabilities in our CI/CD pipelines, emphasizing the need to treat these build systems with production-level security rigor instead of ignoring them. Episode Links Dimitri’s Linkedin Endor Labs Harden-Runner detection: tj-actions/changed-files action is compromised Unit 42 tj-actions analysis This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

GitHub Device Code phishing: A new attack vector targeting developers. Learn how attackers abuse OAuth flows to compromise organizations and steal source code.

cool Table of Contents Intro Lore CVE-2026-25598 Bypass using sendto Bypass using sendmsg Bypass using sendmmsg Closing Thoughts Intro Lore GitHub ...

Anne Robinson would like a word with .github/workflows

GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning

Project compromises have common root causes we can mitigate: phishing, control handoff, and unsafe GitHub Actions triggers.