action-setup icon indicating copy to clipboard operation
action-setup copied to clipboard
verified publisher icon reviewdog

Security: Compromise of reviewdog/action-setup@v1

Open joschi opened this issue 9 months ago • 3 comments

https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup

Wiz Research has discovered an additional supply chain attack on reviewdog/action-setup@v1, that may have contributed to the compromise of tj-actions/changed-files. At this point we believe this is a chain of supply chain attacks eventually leading to a specific high-value target.

You are certainly aware of this article and the issue.

Is there any way to track the incident? I haven't seen anything in the Security tab in this repository.

joschi avatar Mar 18 '25 07:03 joschi

There is a security advisory report at https://github.com/reviewdog/reviewdog/security but it's still draft state. I was working on fixing potential issues and it's mostly done.

I'll create an issue or something to share the status after getting some rest.

For the time being, I believe most users can read the wiz blog post as to what users should do.

haya14busa avatar Mar 18 '25 09:03 haya14busa

@haya14busa - thank you for the quick response! Did you manage to rotate all your tokens & secrets as well? :)

aviadhahami avatar Mar 18 '25 14:03 aviadhahami

I posted an issue on reviedog repo. https://github.com/reviewdog/reviewdog/issues/2079

Did you manage to rotate all your tokens & secrets as well? :)

Yes! Thanks for checking.

haya14busa avatar Mar 18 '25 20:03 haya14busa