Using a compromised tj-actions/changed-files GitHub Action

[shubham-stepsecurity]

Filing a public issue instead of reporting this as a private vulnerability, since this malware is a publicly known and an urgent issue.

This repo uses a compromised version of tj-actions/changed-files. The compromised action leaks secrets the runner has in memory.

build/.github/workflows/typescript-nudge.yml

Line 21 in 2f622d9

uses: tj-actions/changed-files@v45

This run ids has creds leaked. Please rotate (if applicable) and delete the workflow run.
13868497253, 13864925685, 13864889086, 13864866512, 13864008301
https://github.com/netlify/build/actions/runs/13868497253/job/38811907042#step:3:60

You can also use https://github.com/step-security/changed-files going forward.

Reference about this incident: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

[serhalp]

Thank you @shubham-stepsecurity. We appreciate this!

We identified this vulnerability on Friday and determined that the impact was effectively none — fortunately, the only tokens being leaked in that workflow are temporary tokens issued by GitHub within each workflow run.

Regardless, we've upgraded to a fixed release of the Action and rotated secrets internally.

Thanks again!