garnet.ai
garnet
Return to all posts
Breaches
tj-actions/changed-files: GitHub Actions Supply Chain Compromise

On March 14, 2025, the widely-used GitHub Action tj-actions/changed-files was compromised, putting countless repositories at risk of secret exposure. At Garnet, we closely analyzed this incident and can confidently say that we would've detected this attack at the very moment it began. Let's break down the attack and show precisely how our real-time monitoring, powered by deep behavioral analysis, would have alerted teams instantly.

Memory Dumping through a malicious GitHub Action

In short, attackers gained control of the popular tj-actions/changed-files repository and silently injected malicious code into versions from v1.0.0 to v45.0.7. They force-pushed malicious tags, causing unsuspecting workflows to execute code that fetched and ran a malicious script (memdump.py) hosted on GitHub Gist. This script scanned the GitHub Actions runner memory for secrets, extracted sensitive credentials, and printed them to logs—making these secrets accessible, especially in public repositories.

Indicators of Compromise (IoCs):

  • Malicious Commit SHA: 0e58ed8671d6b60d0890c21b07f8835ace038e67
  • Gist URL: https://gist.githubusercontent.com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py
  • Suspicious encoded logs: Double Base64-encoded JSON blobs containing extracted secrets.
Screenshot of suspicious encoded logs containing extracted secrets

Attack Chain Simplified

Here's how the attack unfolded in simple terms:

  1. Developer workflow uses compromised action (uses: tj-actions/changed-files@v45.0.7).
  2. Malicious action downloads memdump.py using curl:
Malicious curl command downloading memdump.py script
  1. memdump.py reads /proc/[pid]/mem, extracts CI secrets, double-encodes them, and prints them in CI logs.
  2. Secrets leak publicly (in public repos) via CI logs.

How Garnet Would Have Caught This Attack

The section below details how garnet team would have been able to to catch the tj-actions/changed-files attack in real-time—leveraging findings by simulating the exploit behavior inside GitHub Actions runners when the memdump.py payload was triggered.

Here's exactly how:

1. Suspicious Network Activity Detected

Garnet actively monitors every outbound network connection made by your CI workflows. During our earlier analysis of the Ultralytics incident (which leveraged the same malicious memdump.py), our sensors triggered critical detections for suspicious external calls:

  • Critical detection: Network suspicious tool shell extension; curl retrieving scripts from GitHub Gists (gist.githubusercontent.com).
Garnet alert showing detection of suspicious network activity Detailed view of curl command detection in Garnet

Connecting directly to unknown Gists or suspicious remote hosts would instantly trigger a critical alert in Garnet—giving your team immediate visibility.

2. Real-Time File Access & Memory Dump Detection

The hallmark of this attack is the malicious reading of process memory from /proc/[pid]/mem. Garnet proactively detects such abnormal file interactions:

Garnet detection of suspicious file access to /proc/pid/mem Alert showing memory dump detection in Garnet

This detection is critical: A legitimate workflow has no reason to directly read GitHub Actions runner memory.

3. Clear Process Ancestry Visualization

In the tj-actions attack scenario, the malicious activity follows a suspicious process chain:

  • Runner.Workerbashcurlsudo python3 memdump.py

Garnet captures and visualizes this process lineage clearly, making anomalous activities obvious and actionable at a glance.

4. Comprehensive Behavioral Correlation & Alerting

Combining suspicious DNS requests, command-line activity, and abnormal file access provides a comprehensive behavioral context. Even if attackers blend malicious commands within legitimate scripts, Garnet's contextual correlation instantly detects and surfaces threats:

  • DNS anomalies (unexpected remote connections)
  • Unusual command executions (especially involving memory access)
  • High-risk file operations (e.g., /proc/[pid]/mem access)

All these events trigger immediate notifications to your team's preferred channel—Slack, PR comments, or SEIM.

5. How Would This Have Played Out in Practice?

Had Garnet been active in pipelines utilizing tj-actions/changed-files, the following alerts would've appeared in real-time:

  • Critical: curl fetching remote gist script (memdump.py).
  • Critical: Suspicious DNS activity (gist.githubusercontent.com).
  • Critical: Unauthorized memory read via Python process (/proc/[pid]/mem).

These detections would've enabled immediate containment—halting the build, rotating exposed secrets, and initiating incident response procedures long before any secrets became publicly visible.

Conclusion: Garnet as Your First Line of Defense

The tj-actions/changed-files supply chain attack serves as a stark reminder: modern development requires more than dependency scanning or static analysis alone. Attackers constantly evolve their tactics, targeting dynamic runtime behaviors that static tools can't detect.

Garnet closes that gap with:

  • Kernel-level visibility into runtime behaviors
  • Real-time alerts on suspicious actions
  • Automated actionable guidance integrated directly into developer workflows

Had Garnet been integrated with affected repositories, organizations would've instantly been alerted to the malicious activity, dramatically reducing the damage from the tj-actions compromise.

Takeaways:

  • Always pin GitHub Actions to verified commit SHAs
  • Implement behavior-based runtime detection
  • Immediately rotate CI secrets after exposure incidents

Protect Your CI/CD Environment Against Supply Chain Attacks

As supply chain compromises become increasingly sophisticated, static security measures alone aren't enough. The tj-actions incident demonstrates how runtime behavior monitoring is essential for catching active exploitation attempts during critical CI/CD operations.

Garnet provides specialized runtime security designed specifically for CI/CD environments, focusing on behavioral anomalies that signature-based approaches miss. Our approach delivers:

  • Immediate Detection: Identify suspicious activities during CI/CD processes in real-time
  • Contextual Awareness: Understand normal vs. abnormal behaviors in your unique workflows
  • Pipeline Integration: Seamless integration with existing GitHub Actions, GitLab CI, and other CI/CD systems
  • Zero False Positives: Precise behavioral analysis without disrupting legitimate build processes

With Garnet's Linux-based Jibril sensor monitoring your CI/CD pipelines, you gain visibility into the exact kind of abnormal runtime behavior exhibited in the tj-actions attack, preventing secret exposure before it happens.

Learn more about protecting your CI/CD environments at Garnet.ai.

Related Posts

You might also be interested in these articles

Stopping the Reviewdog Supply Chain Attack: a case for Runtime Security
Breaches

Stopping the Reviewdog Supply Chain Attack: a case for Runtime Security

Analysis of the March 2025 reviewdog/action-setup GitHub Action compromise and how Garnet's runtime monitoring would have detected the attack instantly

MCP Security Top 10 - Part 8: Cross-Context Data Leakage
AI Security

MCP Security Top 10 - Part 8: Cross-Context Data Leakage

Understanding the risks of sensitive data leaking across contexts in MCP implementations and how to implement proper isolation.

MCP Security Top 10 - Part 6: Command Injection
AI Security

MCP Security Top 10 - Part 6: Command Injection

Exploring how command injection vulnerabilities in MCP tools can lead to unauthorized code execution and effective mitigation strategies.