Lessons Learned From GitHub Action Supply-Chain Attack

Read full article here: https://www.unosecur.com/blog/github-actions-supply-chain-attack-exposes-critical-identity-security-gaps/?source=nhimg

On March 14, 2025, StepSecurity uncovered a major supply chain attack targeting the popular GitHub Action tj-actions/changed-files. The incident compromised over 23,000 repositories, exposing the fragility of CI/CD pipelines and the critical risks tied to identity-based attacks. Attackers modified version tags in the GitHub Action to include malicious code, which harvested sensitive credentials directly from build logs.

Although there is no confirmed evidence of credential exfiltration to external systems, the exposure of secrets in publicly accessible workflow logs presents severe identity and security risks across GitHub, cloud platforms, and package ecosystems.

Key MITRE ATT&CK Findings

• Initial Access - Attackers compromised the GitHub Action repository, inserting malicious code under legitimate tags.
• Persistence - Modified tags ensured ongoing use of compromised versions in thousands of workflows.
• Execution - A malicious script (memdump.py) scanned CI/CD runner memory for credentials.
• Credential Access - AWS keys, GitHub tokens, and other secrets were harvested.
• Defense Evasion - Stolen credentials were double Base64-encoded, bypassing GitHub’s masking safeguards.
• Exfiltration - Secrets were left exposed in workflow logs, easily retrievable by attackers.

Identity Security Impact

This attack demonstrates how non-human identities (e.g., tokens, service accounts, cloud keys) represent a massive attack surface in CI/CD pipelines. Impacts include:

• Developer Impersonation - Stolen GitHub PATs could let attackers pose as trusted contributors, inserting malicious code.
• Cloud Service Compromise - AWS, Azure, and GCP credentials could grant unauthorized access to critical environments.
• Package Integrity Risks - Compromised NPM or Docker Hub tokens could enable attackers to tamper with widely used software libraries.

Business Implications

• Reputation Damage - Trust in open-source projects and enterprises relying on compromised pipelines could be undermined.
• Regulatory Exposure - Breaches of sensitive data could trigger compliance penalties under GDPR, HIPAA, or PCI DSS.
• Operational Disruption - Unauthorized cloud activity risks outages, tampering, or lateral movement across environments.

How Unosecur Helps Organizations Stay Protected

Unosecur’s identity-first security solutions directly address the weaknesses exposed by this attack:

• Identity Threat Detection & Response (ITDR) - Continuous monitoring to detect credential abuse, suspicious privilege use, and anomalous activity in real time.

• Activity-Based Access Control - Through IAMOps, enforce Just-in-Time (JIT) and Just-Enough-Privilege (JEP) access, minimizing blast radius of compromised credentials.

• Identity Security Posture Management (ISPM) - Ongoing visibility into permissions, access patterns, and security drift, ensuring proactive remediation and compliance alignment.

Conclusion

The GitHub Action supply chain attack highlights the growing risk of identity-based threats in modern software delivery pipelines. Attackers no longer need to breach systems directly; compromising identities within CI/CD workflows is enough to gain control.

By adopting proactive identity security measures, including real-time detection, least privilege enforcement, and continuous monitoring, organizations can significantly reduce the risk of similar attacks. Unosecur enables enterprises to secure their identities end-to-end—protecting developers, pipelines, and the cloud environments that drive digital business.