prisma is using a compromised tj-actions/changed-files GitHub action

Filing a public issue instead of reporting this as a private vulnerability, since this malware is a publicly known and an urgent issue.

prisma uses a compromised version of tj-actions/changed-files. The compromised action appears to leak secrets the runner has in memory.

The action is included in:
  - https://github.com/prisma/docs/blob/main/.github/workflows/lost-pixel.yml
  - https://github.com/prisma/docs/blob/main/.github/workflows/list-changed-pages.yml

Output of an affected run on prisma:
  - https://github.com/prisma/docs/actions/runs/13866614354/job/38806902562#step:3:56;
  - https://github.com/prisma/docs/actions/runs/13866700503/job/38807159456#step:4:56
 
From brief analysis, what was leaked looks serious. Please take immediate action.

Please review.

Learn about the compromise on [StepSecurity](https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised) of [Semgrep](https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

prisma is using a compromised tj-actions/changed-files GitHub action #6743

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

prisma is using a compromised tj-actions/changed-files GitHub action #6743

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions