A recent security incident involving the widely-used tj-actions/changed-files GitHub Action raises serious concerns about CI/CD security. A new maintainer briefly hijacked the Action, releasing a version with malicious payloads capable of remote code execution. Despite swift removal, this breach highlighted the vulnerability in trusting open-source Actions, as many teams overlook auditing their security. The incident prompted urgent calls for implementing best practices including Action pinning and conducting third-party audits to strengthen security within the GitHub Actions ecosystem.
In March 2025, a new maintainer briefly hijacked the tj-actions/changed-files Action, embedding malicious code that triggered significant concern about CI/CD security.
The incident highlights an emerging attack surface—the supply chain of Actions themselves—illustrating that many teams do not scrutinize the security of their imported Actions.
Users became aware of the threat when they noticed the new version contained an obfuscated curl | bash pattern, a significant red flag for remote execution.
This breach revealed a crucial blind spot where developers often trust GitHub Actions without considering the security implications, unlike packages or containers.
Collection
[
|
...
]