Article

Wake-Up Call: tj-actions/changed-files Compromised NHIs

Learn from the tj-actions/changed-files compromise: CI/CD non-human identity (NHI) security risks, secret theft, and proactive hardening.

Cybersecurity threats are constantly evolving, targeting both human and non-human identities (NHIs). A recent incident involving the popular tj-actions/changed-files GitHub Action serves as a stark reminder of the importance of securing these often-overlooked machine identities. Detected by StepSecurity Harden-Runner, this compromise highlights the risks NHIs pose in the software development lifecycle and underscores the need for robust security and incident response practices.

Understanding the tj-actions/changed-files Incident

In March 2025, StepSecurity detected a critical security incident affecting the widely used tj-actions/changed-files GitHub Action, which is used in over 23,000 repositories. Attackers modified the action’s code and retroactively updated multiple version tags to point to a compromised commit. This malicious code was designed to dump CI/CD secrets from GitHub Actions build logs. If these workflow logs were publicly accessible, as is the case with public repositories, these secrets could be exposed to anyone.

The attack began around 9:00 AM PST on March 14, 2025. StepSecurity’s Harden-Runner identified the issue through anomaly detection when an unexpected network endpoint appeared in the workflow traffic. Further analysis revealed a malicious Python script downloading and executing to extract secrets from the GitHub Actions Runner’s memory.

GitHub Actions as Non-Human Identities

GitHub Actions and the secrets they utilize are prime examples of NHIs. These automated workflows, along with API keys, tokens, and service accounts, function autonomously but hold permissions to access and modify critical resources.

The tj-actions/changed-files incident illustrates the inherent risks associated with NHIs:

Credential Exposure: The attack aimed to expose sensitive CI/CD secrets, which could be used for unauthorized access to connected systems. This aligns with NHI2:2025 - Secret Leakage in the OWASP Non-Human Identities Top 10.

Vulnerable Third-Party NHI: The action is a third-party component integrated into numerous development workflows. Its compromise exemplifies NHI3:2025 - Vulnerable Third-Party NHI, where a seemingly trusted external element becomes a vector for attack. Organizations integrate such tools for efficiency but often overlook the security risks of their NHIs.

Lack of Visibility and Monitoring: Without proactive security measures like Harden-Runner’s anomaly detection, the malicious activity could have gone unnoticed, potentially leading to widespread credential theft. This highlights the challenge of maintaining centralized visibility over NHIs.

Lessons Learned and the Critical Role of Incident Response

The tj-actions/changed-files incident reinforces key principles for strengthening NHI security, particularly in incident response:

Assume Compromise: This incident reinforces an “Assume Leak” mindset. Organizations should assume NHIs may already be compromised and implement continuous monitoring.

Early Detection Enables Swift Response: StepSecurity Harden-Runner detected the compromise early by identifying an unexpected network endpoint. Early detection is crucial for swift incident response and damage mitigation.

Immediate Remediation Is Key: After detecting the compromise, StepSecurity quickly released a free, secure drop-in replacement (step-security/changed-files) to aid recovery. GitHub also removed and then restored the repository with the malicious code removed. This demonstrates the importance of predefined incident response playbooks.

Communication and Transparency: StepSecurity promptly alerted users through a blog post and continuous updates, even hosting an Office Hour to answer questions. Clear and timely communication is critical during a security incident.

Comprehensive Remediation Beyond Immediate Fixes: Replacing the compromised action is necessary, but so is identifying and revoking potentially exposed secrets. Organizations using the affected action were advised to review recovery steps immediately, underscoring the need for robust remediation workflows.

Third-Party Vetting and Incident Preparedness: Organizations must thoroughly vet third-party tools used in their pipelines and understand the permissions granted to NHIs. This includes evaluating the vendor’s own incident response capabilities.

The Need for Specialized NHI Incident Response: The tj-actions/changed-files incident highlights the need for tailored incident response processes for NHIs. These should account for NHIs’ unique characteristics, including their diverse types and the potential impact of disrupting automated workflows.

Strengthening Your NHI Security Posture and Incident Response Capabilities

To mitigate risks and effectively respond to future incidents, organizations should implement the following:

Comprehensive NHI Inventory: Maintain full visibility into all NHIs, including third-party integrations. Solutions like Cremit provide unified visibility and map the Identity Traceability of each NHI to assess potential compromise.

Zero Trust for NHIs: Extend Zero Trust principles to all NHIs, ensuring continuous access validation.

Least Privilege: Adhere to the principle of least privilege, granting NHIs only the necessary permissions.

Continuous Monitoring and Threat Detection: Implement real-time monitoring and behavioral analytics for NHIs. StepSecurity Harden-Runner exemplifies this for GitHub Actions.

Automated Remediation: Use tools that enable automated responses, such as revoking compromised identities, rotating secrets, or quarantining affected systems. Cremit, Astrix, Entro, SlashID, and Oasis offer such capabilities. Cremit provides real-time threat detection and integrated response to isolate suspicious NHI activity before damage occurs.

Secrets Management: Employ secure secrets vaulting and enforce secret rotation policies. Cremit replaces traditional rotation with ephemeral credentials—short-lived, auto-expiring certificates that limit exposure risks and reduce management overhead.

Defined NHI Incident Response Plan: Develop and maintain a dedicated NHI incident response plan, including detection, containment, eradication, and recovery procedures. Cremit’s Identity Traceability feature helps assess breaches and plan containment by quickly identifying each NHI’s origin, owners, usage, and access permissions.

Regular Security Assessments and Audits: Conduct security assessments of third-party integrations and review NHI permissions.

Conclusion: Proactive NHI Security and Robust Incident Response Are Essential

The compromise of the tj-actions/changed-files action serves as a potent reminder that NHIs are attractive targets for attackers. As organizations increasingly rely on automation and interconnected systems, securing these machine identities—paired with a strong incident response framework—must be a priority.

By understanding risks, implementing proactive security measures, and leveraging specialized NHI management solutions, organizations can reduce their attack surface and strengthen their software development lifecycle security. Ignoring NHI security and incident response planning is no longer an option in today’s evolving threat landscape. Cremit’s integrated approach provides full-spectrum NHI security, helping organizations stay ahead of these threats.

Unlock AI-Driven Insights to Master Non-Human Identity Risk.

Go beyond basic data; unlock the actionable AI-driven insights needed to proactively master and mitigate non-human identity risk

A dark-themed cybersecurity dashboard from Cremit showing non-human identity (NHI) data analysis. Key metrics include “Detected Secrets” (27 new) and “Found Sensitive Data” (58 new) from Jan 16–24, 2024. Two donut charts break down source types of detected secrets and sensitive data by platform: GitHub (15k), GetResponse (1,352), and Atera (352), totaling 16.9k. The dashboard includes a line graph showing trends in sensitive data over time, and bar charts showing the top 10 reasons for sensitive data detection—most prominently email addresses and various key types (API, RSA, PGP, SSH).

Blog

Explore more news & updates

Stay informed on the latest cyber threats and security trends shaping our industry.

OWASP NHI5:2025 Insecure Authorization Deep Dive
Explore OWASP NHI5: Insecure Authorization. See how Non-Human Identities gain excess privileges, causing breaches. Learn countermeasures like Zero Trust & least privilege.
OWASP NHI4:2025 Insecure Authentication Deep Dive Introduction: The Era of Non-Human Identities Beyond Humans
Deep dive into OWASP NHI4: Insecure Authentication. Understand the risks of NHIs, key vulnerabilities, and how Zero Trust helps protect your systems.
Secret Sprawl and Non-Human Identities: The Growing Security Challenge
Discover NHI sprawl vulnerabilities and how Cremit's detection tools safeguard your organization from credential exposure. Learn to manage NHI risks.
Navigating the Expanding AI Universe: Deepening Our Understanding of MCP, A2A, and the Imperative of Non-Human Identity Security
Delve into AI protocols MCP & A2A, their potential security risks for AI agents, and the increasing importance of securing Non-Human Identities (NHIs).
Stop Secrets Sprawl: Shifting Left for Effective Secret Detection
Leaked secrets threaten fast-paced development. Learn how Shift Left security integrates early secret detection in DevOps to prevent breaches & cut costs.
Hidden Dangers: Why Detecting Secrets in S3 Buckets is Critical
Learn critical strategies for detecting secrets in S3 buckets. Understand the risks of exposed NHI credentials & why proactive scanning is essential.
NHI2 2025: Secret Leakage – Understanding and Mitigating the Risks
NHI2 Secret Leakage: Exposed API keys and credentials threaten your business. Learn how to prevent unauthorized access, data breaches, and system disruption.
Stop the Sprawl: Introducing Cremit’s AWS S3 Non-Human Identity Detection
Cremit Launches AWS S3 Non-Human Identity (NHI) Detection to Boost Cloud Security
Human vs. Non-Human Identity: The Key Differentiators
Explore the critical differences between human and non-human digital identities, revealing hidden security risks and the importance of secret detection.
Wake-Up Call: tj-actions/changed-files Compromised NHIs
Learn from the tj-actions/changed-files compromise: CI/CD non-human identity (NHI) security risks, secret theft, and proactive hardening.
NHI 3 2025: 3rd Party Supply Chain Dangers
Discover the security risks of vulnerable third-party non-human identities (NHI3:2025) and learn effective strategies to protect your organization from this OWASP Top 10 threat.
Build vs. Buy: Making the Right Choice for Secrets Detection
Build vs. buy secrets detection: our expert guide compares costs, features, and ROI for in-house and commercial security platforms.
Bybit Hack Analysis: Strengthening Crypto Exchange Security
Bybit hacked! $1.4B crypto currency stolen! Exploited Safe{Wallet}, API key leak, AWS S3 breach? Exchange security is at stake! Check your security now!
Rising Data Breach Costs: Secret Detection's Role
Learn about the growing financial impact of data breaches and how secret detection and cybersecurity strategies can safeguard your data and business.
NHI1 2025: Improper Offboarding- A Comprehensive Overview
Discover how improper offboarding exposes credentials, leading to vulnerabilities like NHI sprawl, attack surface expansion, and compliance risks.
Behind the Code: Best Practices for Identifying Hidden Secrets
Improve code security with expert secret detection methods. Learn strategies to safeguard API keys, tokens, and certificates within your expanding cloud infrastructure.
Understanding the OWASP Non-Human Identities (NHI) Top 10 Threats
Understanding NHI OWASP Top 10: risks to non-human identities like APIs and keys. Covers weak authentication, insecure storage, and more.
Securing Your Software Pipeline: The Role of Secret Detection
Prevent secret leaks in your software pipeline. Discover how secret detection improves security, safeguards CI/CD, and prevents credential exposure.
What Is Secret Detection? A Beginner’s Guide
Cloud security demands secret detection. Learn its meaning and why it's essential for protecting sensitive data in today's cloud-driven organizations.
Full Version of Nebula – UI, New Features, and More!
Explore the features in Nebula’s full version, including a refined UI/UX, fine-grained access control, audit logs, and scalable plans for teams of all sizes.
Unveiling Nebula: An Open-Source MA-ABE Secrets Vault
Nebula is an open-source MA-ABE secrets vault offering granular access control, enhanced security, and secret management for developers and teams.
Vigilant Ally: Helping Developers Secure GitHub Secrets
The Vigilant Ally Initiative supports developers secure API keys, tokens, and credentials on GitHub, promoting secure coding and secrets management.
Cremit Joins AWS SaaS Spotlight Program
Cremit joins the AWS SaaS Spotlight Program to gain insights through mentorship and collaboration, driving innovation in AI-powered security solutions.
DevSecOps: Why start with Cremit
DevSecOps is security into development, improving safety with early vulnerability detection, remediation, and compliance, starting with credential checks.
Credential Leakage Risks Hiding in Frontend Code
Learn why credentials like API keys and tokens are critical for access control and the risks of exposure to secure your applications and systems effectively.
Introducing Probe! Cremit's New Detection Engine
Probe detects exposed credentials and sensitive data across cloud tools, automating validation and alerts, with AI-powered scanning for enhanced security.
Customer Interview: Insights from ENlighten
We interviewed Jinseok Yeo from ENlighten, Korea’s top energy IT platform, on how they secure credentials and secrets. Here’s their approach to security.
6 Essential Practices for Protecting Non-Human Identities
Safeguard your infrastructure: Learn 6 best practices to protect API keys, passwords & encryption keys with secure storage, access controls & rotation.
Microsoft Secrets Leak: A Cybersecurity Wake-Up Call
See how an employee error at Microsoft led to the exposure of sensitive secrets and 38 terabytes of data.