Let’s enter the world of software development! Automation has now become the heartbeat of contemporary DevOps practices. However, on the backdrop, the threat associated with it has been growing at a similar rate. Tools like GitHub Actions are known to streamline workflows by automating the testing process, deployment, and integration tasks. As the world talked about its positive aspect and discussed its way through the secure path, hackers went a step further, resulting in the GitHub Actions Attack, one of the largest supply chain attacks so far and the first in 2025. This article emphasizes the silent threat creeping into CI/CD pipelines, which many developers and organizations rely on to fuel productivity and innovation.

How Hackers Target Your Automation – A Recap of The GitHub Actions Attack

The exploitation of CI/CD pipelines has now become the new frontier of cyber threats. On March 10, 2025, a serious security issue impacted GitHub. Hackers infiltrated tj-actions/changed-files, and actions from the reviewdog organization, compromising thousands of software projects. Let’s understand how the attack took shape:

How Did The Attack Happen?

The hackers initially targeted a cryptocurrency company, Coinbase. The attempt was to exploit agentkit, one of its open-source projects. However, the hackers were unable to steal secrets or publish false updates, and they proceeded to get deeper access.

A Larger Attack Followed

After the failed attempt to exploit Coinbase, the hackers broadened their search. They attacked popular GitHub projects by injecting malicious code into the tj-actions/changed-files, a widely used GitHub automation tool.  

The hackers used a stolen GitHub token with write permissions and impersonated a trusted automation bot to avoid suspicion. Moreover, to remain undetected, they used the Base64 encoding. The attacker modified GitHub tags, causing developers to unknowingly use the infected version of tj-actions/changed-files.

In this way, it allowed the hackers to access sensitive information present in CI/CD pipelines. Thus, making over 23,000 software projects that used this tool vulnerable.

A Chain Reaction – The Real Source

A few days later, a security researcher found that the attack actually began with another GitHub project, reviewdog/action-setup. The attack on tj-actions/changed-files was the result of a chain reaction. Let’s understand it in detail.

The attack spread through a dependency chain. GitHub tools like tj-actions/changed-files depend on other tools like tj-actions/eslint-changed-files to work, which further rely on reviewdog/action-setup.

It is speculated that it was the reviewdog organization’s auto-invite system that allowed the hackers to gain access to the project and attack its connected tools.

The Key Takeaway from the Supply Chain Attack

This attack serves as a stark reminder that the software supply chain is only as secure as its weakest link. Hackers are no longer targeting just the companies themselves but the very tools and libraries they rely on. Such attacks in CI/CD pipelines lead to unauthorized access to projects, data breaches, and malicious code injection. The attack further emphasizes the fact that a single successful infiltration into the weak link of a software supply chain can lead to widespread infections. Here are some crucial takeaways from this breach:

• The Silent Spread: The demographic heaviness on the dependency of third-party automation tools, like GitHub Actions, led to the quick spread of the attack, jeopardizing a large number of repositories without getting noticed. This shows how a single compromised tool can affect thousands of projects at once and make an entire ecosystem vulnerable.

• Data Exposure and Security Gaps: By leaking sensitive data through public logs, the attackers had easy access to API tokens and other confidential information. This highlights how CI/CD pipelines, when improperly secured, can become major attack vectors.

• Complexity of CI/CD Dependencies: The interconnected nature of CI/CD tools and dependencies makes such attacks dangerous. These dependencies make it incredibly difficult to trace and prevent attacks. A small vulnerability in one action can create a chain reaction, causing widespread damage.

How to Protect Your Repositories?

A repository or repo is similar to a storage where project files, code, and other similar information are stored and managed. Repositories can be hosted on a developer’s machine or hosted remotely on platforms like GitHub, GitLab, or Bitbucket. This breach is a stern reminder to take immediate and effective steps to protect your code and credentials. Here are the short-term and long-term measures that your organization can take to secure your CI/CD pipelines from such high-impact attacks: 

Immediate Steps

• Audit Your Dependencies: Regularly review the external dependencies in your automation workflows to identify any compromised or outdated tools. For example, search for any instances of tj-actions/changed-files or any other compromised actions in your GitHub workflows. Review the logs for any exposed credentials, particularly ones encoded in Base64.

• Rotate Credentials: If there’s any chance that your secrets are exposed, revoke and regenerate your API keys, access tokens, and deployment credentials. Proactively securing your credentials helps maintain the integrity of your automation workflows and infrastructure.

• Check for Malicious Activity: Investigate any suspicious changes in your repositories. Look for unauthorized commits or modifications to your workflow files. You can also use VMDR tools like AutoSecT to ensure that all vulnerabilities are identified and patched on time.

Long-Term Security Improvements

• Monitor Your CI/CD Pipeline: Regularly check your CI/CD workflows for unusual activity and stay up to date on the latest security risks and mitigation strategies. The OWASP Top 10 CI/CD Security Risks is a great resource to understand and address the most common vulnerabilities in automation pipelines.
• Vet Third-Party Tools: Do not blindly trust any third-party automation tools. Always vet these tools before incorporating them into your workflows. Where possible, use verified or well-known actions that have been thoroughly tested for security vulnerabilities. Make sure to get your VAPT done on a regular basis.
• Use Short-Lived Tokens: Implement Pipeline-Based Access Controls (PBAC) to limit the permissions of actions to the bare minimum. Use short-lived tokens instead of long-term access credentials that could be exploited by attackers.
• Pin Dependencies: Avoid using dynamic or floating references such as @latest, @v3, or @main in your automation workflows. Instead, pin dependencies to a specific version or commit hash. This ensures that you are always using a known, trusted version of the tool.

The GitHub Actions attack is the perfect real-time example of how hackers can target your automation. It is more than a cautionary tale that highlights the rising dangers of the vulnerabilities in a software supply chain. It’s time for every organization’s leaders to act. Don’t let your automation pipelines be the silent accomplice to an attack on your software infrastructure. Cybersecurity experts like Kratikal actively work towards securing organizations like yours from such attacks through their services and products. With such cybersecurity professionals on your side, stay secure for sure!

FAQs

The post The Silent Threat in CI/CD: How Hackers Target Your Automation? appeared first on Kratikal Blogs – Information Hub For Cyber Security Experts.

*** This is a Security Bloggers Network syndicated blog from Kratikal Blogs – Information Hub For Cyber Security Experts authored by Puja Saikia. Read the original post at: https://kratikal.com/blog/the-silent-threat-in-ci-cd-how-hackers-target-your-automation/