Using a compromised tj-actions/changed-files GitHub Action #1872
Description
Filing a public issue instead of reporting this as a private vulnerability, as I could not find a security.md file. Moreover, this malware is a publicly known and an urgent issue.
This repo uses a compromised version of tj-actions/changed-files. The compromised action leaks secrets the runner has in memory.
fuels-wallet/.github/workflows/pr.yaml
Line 29 in 28ce63a
This run ids has creds leaked. Please rotate (if applicable) and delete the workflow run.
https://github.com/FuelLabs/fuels-wallet/actions/runs/13864440929/job/38800307543#step:3:59
You can also use https://github.com/step-security/changed-files going forward.
Reference about this incident: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised