Which products are affected?
As of March 15, 2025, all versions of tj-actions/changed-files were found to be affected, as the attacker managed to modify existing version tags to make them all point to their malicious code. Customers who were using a hash-pinned version of tj-actions/changed-files would not be impacted, unless they had updated to an impacted hash during the exploitation timeframe.
In workflows that perform production deployments, leaked secrets might include keys allowing access to cloud production environments as well as internal source code repositories.
How can We help?
- Stop using
tj-actions/changed-filesimmediately and replace it with a safer alternative if possible. - Remove all references to the action across all branches of your repositories, not just the main branch, to prevent potential execution in other branches.
- Rotate any leaked secrets as soon as possible. Deleting the relevant workflow will also remove all the logs, which can prevent further exposure of the secrets. However, it is also recommended to download workflow logs from the exposure window before deleting anything.
- Stop using tj-actions/changed-files immediately and replace it with a safer alternative if possible.
- Remove all references to the action across all branches of your repositories, not just the main branch, to prevent potential execution in other branches.
- Rotate any leaked secrets as soon as possible. Deleting the relevant workflow will also remove all the logs, which can prevent further exposure of the secrets. However, it is also recommended to download workflow logs from the exposure window before deleting anything.