malicious code in actions

While developers rushed to build their next big feature, a critical vulnerability in tj-actions/changed-files lurked in plain sight, potentially exposing secrets to attackers worldwide. Versions up to 45.0.7 contained malicious updateFeatures code that could allow remote attackers to discover secrets by simply reading action logs. Talk about a security nightmare.

This isn’t just some minor bug. We’re talking high confidentiality impact with zero user interaction required. Remote attackers. Low complexity. The perfect storm for a security breach. Developers blindly trusting third-party actions might want to rethink that strategy.

The scariest part? Only 4.74% of custom GitHub Actions are created by verified users. Let that sink in. The rest? Who knows. Could be your friendly neighborhood developer or someone with more sinister intentions. And with 18% of actions harboring vulnerable dependencies, the odds aren’t exactly in your favor.

Trust the vast majority of GitHub Actions at your own risk—most are unverified and potentially compromised.

Most GitHub Actions are maintained by lone developers. One person. One set of eyes. One mistake away from compromising your entire build pipeline. The average OSSF security score sits at a measly 4.23 out of 10. Not exactly confidence-inspiring. Regular assessments help adapt to these evolving threats and strengthen your overall security posture.

Misconfigurations make everything worse. A staggering 98.4% of references lack dependency pinning, and 86% of workflows use overprivileged tokens. Might as well hand over the keys to your kingdom wrapped in a bow.

Thankfully, GitHub offers some protection: dependency graphs, Dependabot alerts, code scanning with CodeQL. But these tools only work if you actually use them. Novel concept, right?

The tj-actions vulnerability has been patched, but it raises a bigger question: how many other time bombs are ticking in your workflows? Without proper auditing, pinning to full-length commit SHAs, and implementing least privilege, you’re basically playing security roulette with your codebase. Even worse, attackers can bypass log redaction by using commands like echo ${SOME_SECRET:0:4} to exfiltrate portions of secrets piece by piece. Using GitHub Secrets is essential to prevent storing sensitive information in plain text where it could be easily compromised.

GitHub Actions are powerful. They’re also dangerous in the wrong hands. Or, apparently, in almost any hands.

You May Also Like

Malicious Code in GitHub Actions Logs Can Compromise Your Secrets – CVE-2025-30066

Your GitHub secrets are hiding in plain sight – attackers have compromised over 23,000 repositories by exploiting workflow logs. Security teams scrambled to contain the breach. Is your code still infected?

Decoding the Secrets of Samsung’s H-Arx Hypervisor Framework: a Deep Dive Into Vulnerabilities

Samsung’s “impenetrable” H-Arx hypervisor contains critical flaws allowing hackers to seize complete device control. What was designed as your ultimate security shield now exposes your most sensitive data. Security researchers exposed the truth.

UK Government Urges Radical Changes to Strengthen Open Source Software Security Across Sectors

Is your open source software a ticking time bomb? The UK government demands radical security changes as 84% of codebases contain known vulnerabilities. New frameworks could save your systems.

Critical Flaws in Adobe Software May Leave Users Exposed to Arbitrary Code Execution

Multiple Adobe products harboring critical flaws that enable arbitrary code execution across Windows and macOS. Your creative software could be the backdoor hackers have been waiting for. Update immediately before exploitation begins.