Techly NewsGet the app

Get the latest tech news

GitHub suffers a cascading supply chain attack compromising CI/CD secrets


CISA confirms cascading attack from reviewdog to tj-actions exposed sensitive credentials across 23,000+ repositories.

While GitHub and reviewdog maintainers have implemented fixes, Wiz warns that if any compromised actions remain in use, a repeat attack targeting “tj-actions/changed-files” could still occur — especially if exposed secrets are not rotated. Wiz researchers noted that the project “maintains a large contributor base and accepts new members via automated invites,” potentially creating security weaknesses in their permission structure. “In such cases, all references to affected actions should be removed across branches, workflow logs should be deleted, and any potentially exposed credentials must be rotated immediately,” the report suggested.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of GitHub

GitHub

Photo of CD secrets

CD secrets

Related news:

News photo

Important open source projects should not use GitHub (2020)

News photo

Show HN: I turned GitHub contributions into a retro battle game

News photo

That massive GitHub supply chain attack? It all started with a stolen SpotBugs token

« The Morning After: Electronics got a temporary US tariff exemption
Where it Hertz: Customer data driven off in Cleo attacks »