Uncovering and Responding to the tj-actions Supply Chain Breach
Black Hat USA 2025 · Day 1 · Briefings
On March 14, 2025, Step Security's automated detection system identified that the widely-used `tj-actions/changed-files` GitHub Action had been compromised via a chained supply chain attack originating from a pull request vulnerability in an unrelated repository. The malicious "imposter commit" used a memory-dumping technique to harvest CI/CD secrets — including AWS access keys and GitHub tokens — from the build logs of over 23,000 public repositories. The attack exploited GitHub's mutable release tags and a novel "imposter commit" technique that left no visible trace in repository history. ---
AI review
A real-world supply chain incident, detected in production, dissected with forensic precision, and turned into actionable guidance. The imposter commit technique is a legitimate novel attack primitive, and the baseline-driven detection story validates the methodology cleanly. Step Security had skin in the game here — this isn't academic retrospective.