GitHub Action supply chain attack exposes critical identity security gaps

The recent supply chain attack on the GitHub Action tj-actions/changed-files highlights the growing threat of identity-based attacks and their potential for widespread damage. Discovered by StepSecurity on March 14, 2025, this attack affected over 23,000 repositories. Attackers modified the action’s code and updated version tags to include a malicious commit, causing the compromised action to print CI/CD secrets in GitHub Action build logs. These secrets could then be exposed to anyone through publicly accessible workflow logs. Although there is no direct evidence of exfiltration to a remote network, the possibility of data exposure remains a serious concern.

MITRE ATT&CK workflow of the incident

Initial access

Attackers gained control over the tj-actions/changed-files GitHub repository, allowing them to modify existing tags. They created a new version containing malicious code and tagged it with legitimate labels. As a result, GitHub Action automatically pulled the latest tagged version and executed the compromised code in various workflows.

Persistence

By modifying existing GitHub Action tags, the attackers ensured that any repository referencing this action would automatically run the malicious version. Developers who used versioned tags (e.g., v1) inadvertently ran compromised code without altering their configurations.

Privilege escalation

The malicious script ran with the permissions granted to the GitHub runner, allowing access to environment variables and internal tokens without additional escalation techniques. Because CI/CD workflows often have elevated privileges, attackers could extract highly sensitive credentials.

Execution

When the compromised GitHub Action ran in CI/CD workflows, it downloaded and executed a malicious Python script (memdump.py) from a remote GitHub Gist. This script scanned the memory of the CI/CD runner for stored credentials and environment variables.

Credential access

The script combed through the CI/CD runner’s memory for authentication tokens, AWS keys, and GitHub secrets. These credentials were crucial for accessing cloud environments, modifying repositories, and potentially escalating privileges.

Defense evasion

GitHub masks secrets in logs to prevent accidental disclosure, but the attackers bypassed this safeguard by double Base64-encoding the stolen secrets. This obfuscation prevented GitHub from detecting and redacting them, leaving plaintext credentials exposed in workflow logs once decoded.

Exfiltration

The stolen credentials were printed directly in GitHub workflow logs in their double Base64-encoded format. Any attacker monitoring these logs could decode the secrets and gain unauthorized access.

Direct impact

With access to leaked secrets, attackers could:

• Enter cloud environments using AWS access keys.
• Modify or delete repositories via GitHub Personal Access Tokens (PATs).
• Compromise package integrity by leaking NPM tokens or private RSA keys.

In public repositories, anyone could view the logs and extract exposed credentials, greatly increasing the overall risk.

What is the impact on identity security?

The compromise of GitHub Action significantly affected identities across multiple platforms (e.g., AWS Access and Secret Keys, GitHub PATs, Azure and GCP credentials, NPM and Docker Hub tokens). The breach did not only impact GitHub itself, but also extended to other services where users had integrated their identities into CI/CD workflows. Potential consequences include:

• Impersonation of Developers
  Compromised GitHub PATs allow attackers to impersonate trusted contributors, modify code repositories, insert new vulnerabilities or malicious code, and manipulate project settings.
• Unauthorized Access to Cloud Services
  Using the leaked AWS, GCP, and Azure credentials, attackers could impersonate identities to perform malicious activities, potentially leading to data breaches, service disruption, or privilege escalation.
• Package Management System Exploits
  Attackers can publish or modify packages using compromised NPM and Docker Hub tokens, inserting vulnerabilities or malicious code into widely used libraries and images.
  

How Unosecur can help secure identities

Unosecur offers a comprehensive suite of identity security solutions designed to protect organizations from identity-based threats such as those exposed by this recent GitHub Action supply chain attack.

1. Real-time Identity Threat Detection and Response (ITDR)
   Continuous monitoring of identity activities across multi-cloud environments enables rapid detection of anomalies and potential threats. Suspicious behaviors—like privilege escalations or unauthorized access attempts—trigger alerts for immediate remediation.
2. Activity-based access control
   Unosecur helps implement the principle of least privilege through IamOps. With the help of IAMOps, users can create Just Enough Privileges and Just-In-Time Privileges, attaching policies to identities to ensure both human and non-human accounts have only the permissions they need. This minimizes the risk of credential misuse and limits the impact of compromised accounts.
3. Comprehensive Identity Security Posture Management (ISPM)
   Unosecur provides continuous visibility into your organization’s identity security posture by analyzing access permissions and activities in detail. This facilitates in-depth forensic investigations, ensures compliance with security policies, and enables proactive vulnerability remediation.

By leveraging Unosecur’s advanced identity security solutions, organizations can proactively defend against identity-based attacks, safeguard critical assets, and maintain the integrity of their cloud infrastructures.