fuels-wallet icon indicating copy to clipboard operation
fuels-wallet copied to clipboard
verified publisher icon FuelLabs

Using a compromised tj-actions/changed-files GitHub Action

Open varunsh-coder opened this issue 8 months ago • 0 comments

Filing a public issue instead of reporting this as a private vulnerability, as I could not find a security.md file. Moreover, this malware is a publicly known and an urgent issue.

This repo uses a compromised version of tj-actions/changed-files. The compromised action leaks secrets the runner has in memory.

https://github.com/FuelLabs/fuels-wallet/blob/28ce63a67ff2230e6ee1f817ef5f132adf44463e/.github/workflows/pr.yaml#L29

This run ids has creds leaked. Please rotate (if applicable) and delete the workflow run. https://github.com/FuelLabs/fuels-wallet/actions/runs/13864440929/job/38800307543#step:3:59

You can also use https://github.com/step-security/changed-files going forward.

Reference about this incident: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

varunsh-coder avatar Mar 17 '25 15:03 varunsh-coder