Close the CI/CD Security Gap. Enhance GitHub Actions Security with StepSecurity Maintained Actions and robust runner runtime security with network egress filtering| www.stepsecurity.io
.png)
Analysis of the tj-actions/changed-files GitHub Actions compromise, assessing the impact and damage from the attack.| www.endorlabs.com
A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs.| BleepingComputer
Popular GitHub Action tj-actions/changed-files has been compromised with a payload that appears to attempt to dump secrets, impacting thousands of CI pipelines.| Semgrep
A supply chain attack on tj-actions/changed-files leaked secrets. Wiz Research found another attack on reviewdog/actions-setup, possibly causing the compromise.| wiz.io
A compromise of the GitHub action tj-actions/changed-files highlights how attackers could exploit vulnerabilities in third-party actions to compromise supply chains. A compromise of the GitHub action tj-actions/changed-files highlights how attackers could exploit vulnerabilities in third-party actions to compromise supply chains.| Unit 42
Yesterday, the tj-actions repository, a popular tool used with Github Actions was compromised (for more background read one of these two articles). Watching the infrastructure and security engineering teams at Carta respond, it highlighted to me just how much LLMs can’t meaningfully replace many essential roles of software professionals. However, I’m also reading Jennifer Palkha’s Recoding America, which makes an important point: decision-makers can remain irrational longer than you can...| lethain.com