Live Threats
[STRUTS]Apache Struts zero-day (CVE-2026-3101) under mass exploitation — ransomware groups deploying web shells on Java web apps. Patch immediately.|
[LAZARUS]North Korean Lazarus Group targets SMB defense contractors via fake LinkedIn recruiter profiles delivering trojanized job documents.|
[DEEPFAKE]Deepfake CEO video call fraud stole $3.2M in a single transaction. AI voice and face synthesis now indistinguishable — targeting US SMBs.|
[CHROME]CVE-2026-2356 Chrome zero-day actively exploited to deliver spyware. Update to 136.0.7103.92 immediately on all devices.|
[HIPAA]HHS finalized major HIPAA Security Rule updates — mandatory encryption at rest, MFA, and annual pen testing effective December 31, 2026.|
[CISA KEV]CISA added 15 new KEV entries this week — six are priority patches for internet-facing systems including Struts, Chrome, Cisco, Fortinet, Ivanti, and VMware.|
[STRUTS]Apache Struts zero-day (CVE-2026-3101) under mass exploitation — ransomware groups deploying web shells on Java web apps. Patch immediately.|
[LAZARUS]North Korean Lazarus Group targets SMB defense contractors via fake LinkedIn recruiter profiles delivering trojanized job documents.|
[DEEPFAKE]Deepfake CEO video call fraud stole $3.2M in a single transaction. AI voice and face synthesis now indistinguishable — targeting US SMBs.|
[CHROME]CVE-2026-2356 Chrome zero-day actively exploited to deliver spyware. Update to 136.0.7103.92 immediately on all devices.|
[HIPAA]HHS finalized major HIPAA Security Rule updates — mandatory encryption at rest, MFA, and annual pen testing effective December 31, 2026.|
[CISA KEV]CISA added 15 new KEV entries this week — six are priority patches for internet-facing systems including Struts, Chrome, Cisco, Fortinet, Ivanti, and VMware.|
View All
GitHub Actions Supply Chain Attack — tj-actions/changed-files Compromised, 23,000 Repositories Affected
Security News/Issue #25 — May 29 – June 4, 2026
THREAT INTELHIGH

GitHub Actions Supply Chain Attack — tj-actions/changed-files Compromised, 23,000 Repositories Affected

Published May 30, 2026
Current as of May 30, 2026
5 min read
Source: GitHub Security Lab / StepSecurity / Wiz
SHARE:
Affected Systems
Any GitHub repository using tj-actions/changed-files (all versions compromised during the attack window)CI/CD pipelines with secrets exposed through GitHub Actions environment variablesCloud infrastructure provisioned through affected CI/CD pipelines (AWS, Azure, GCP)Docker image registries accessible through compromised pipeline credentialsInternal services accessible through SSH keys or API tokens exposed in affected pipelines
Executive Summary

The widely-used GitHub Action tj-actions/changed-files was compromised in a supply chain attack that injected credential-stealing code into downstream CI/CD pipelines. An estimated 23,000 repositories were exposed. Attackers may have exfiltrated secrets, API keys, and deployment credentials from affected pipelines.

What Happened

On May 27, 2026, security researchers at StepSecurity detected anomalous behavior in the widely-used GitHub Action tj-actions/changed-files, a community action with over 23,000 dependent repositories. The action's maintainer account was compromised through a phishing attack, and the attacker pushed malicious updates to multiple version tags including v44, v43, v42, and v41. The compromised versions contained obfuscated JavaScript that reads CI/CD environment variables — which typically contain secrets, API keys, and deployment credentials — and exfiltrates them to an attacker-controlled server. StepSecurity's analysis confirmed that during the approximately 18-hour window between the malicious commit and its detection, thousands of CI/CD pipeline runs executed the compromised action and potentially exposed their secrets to the attacker.

The Attack Mechanism: Tag Mutation

The attack exploited a fundamental weakness in how many organizations reference GitHub Actions. Most repository workflows reference actions by version tag — for example, `tj-actions/changed-files@v44`. The v44 tag is a mutable pointer that the action maintainer can update at any time. When the attacker gained access to the maintainer's account, they simply moved the v44 tag to point to a malicious commit. Every workflow that referenced `@v44` automatically started using the compromised version on their next pipeline run, with no visible change to the workflow file. This is called a tag mutation attack, and it is completely invisible to repository owners — the workflow file looks identical, the commit history shows no changes, and the pipeline runs normally. The only defense is to pin actions by full commit SHA, which is immutable: `tj-actions/changed-files@a1b2c3d4e5f6...`. GitHub and the OpenSSF have been advocating for SHA-pinning for years, but adoption remains low.

What Was Exposed

The compromised action had access to every environment variable and secret configured in the workflow. In a typical CI/CD pipeline, this includes: GitHub repository secrets (deploy keys, API tokens, cloud provider credentials), environment-specific secrets (staging, production), Docker registry credentials, npm/PyPI publishing tokens, and SSH private keys used for deployment. Any of these secrets that were exposed during the attack window should be considered compromised. StepSecurity and Wiz published detailed lists of the specific data fields the malicious code was designed to exfiltrate, and confirmed that the exfiltration target was an attacker-controlled server hosted on a VPS provider. GitHub has since revoked the compromised personal access tokens and notified affected repository owners, but the onus is on individual organizations to rotate their secrets.

Immediate Response Checklist

If your organization uses GitHub Actions, take the following steps immediately. First, audit all workflow files across all repositories for any reference to tj-actions/changed-files and pin to a verified safe commit SHA. Second, rotate every secret, API key, and credential that was accessible in any affected pipeline — assume all of them are compromised. Third, review your CI/CD pipeline execution logs for the attack window (May 27-28, 2026) for unusual outbound network connections or unexpected script executions. Fourth, implement a policy requiring all GitHub Actions to be pinned by commit SHA rather than version tag. Fifth, enable branch protection rules requiring pull request reviews for any change to workflow files in the .github/workflows directory. Segler.Net can assist with CI/CD pipeline security auditing and secrets rotation.

Intel last verified: May 30, 2026 — Threat status, patch availability, and affected systems are current as of this date.
Key Takeaways & Action Items
  • Audit your GitHub repositories immediately — check if any workflow uses tj-actions/changed-files and pin to a verified safe version
  • Rotate all secrets, API keys, and deployment credentials that were accessible in affected CI/CD pipelines
  • Implement GitHub Actions pinning — always reference actions by commit SHA, not version tag, to prevent tag mutation attacks
  • Enable branch protection rules and require pull request reviews for any changes to workflow files
  • Review your CI/CD pipeline logs for the past 30 days for signs of credential exfiltration or unauthorized deployments
Share This
LinkedInX / TwitterEmail

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #25: May 29 – June 4, 2026
PREVIOUS ARTICLE
Fake CAPTCHA Campaign Delivers Lumma Stealer v4.0 — AI-Generated Lures Harvest Session Tokens and Browser Passwords
NEXT ARTICLE
CVE-2026-6673 — Windows Kernel Zero-Day Actively Exploited, SYSTEM Escalation via IOCTL Handler