Not Just a Pipeline Leak: Reconstructing Real Attack Behind tj-actions

Name: Not Just a Pipeline Leak: Reconstructing Real Attack Behind tj-actions
Description: On March 14, 2025, an attacker compromised the popular GitHub Actions repository `tj-actions/changed-files` and injected code that printed CI runner secrets to job logs. The widely reported story was

Aviad Hahami

DEF CON 33 · Day 2 · Main Stage

On March 14, 2025, an attacker compromised the popular GitHub Actions repository `tj-actions/changed-files` and injected code that printed CI runner secrets to job logs. The widely reported story was

AI review

Aviad Hahami reconstructs the March 2025 tj-actions supply chain attack and argues the widely reported narrative — mass credential harvesting — was wrong. Through graph-based analysis of the GitHub Actions dependency network, he traces a multi-stage chain to a specific high-value downstream target, demonstrates that the credential log-dumping was likely noise or distraction, and extracts a methodology for CI/CD supply chain forensics.

Watch on YouTube