The tj-actions attack hit 23,000 repos. Your workflows are probably still vulnerable.

The tj-actions attack hit 23,000 repos. Your workflows are probably still vulnerable. In March 2025, the tj-actions GitHub Actions library was compromised. The attacker modified the action's code, then moved the version tags (v2, v3, v4) to point to the malicious commit. Any repository running a workflow with this: - uses : tj-actions/changed-files@v4 pulled the compromised code automatically. No warning. No notification. Just silent supply chain compromise. That was 23,000+ repositories. One tag repoint. Done. Why this keeps working Tags are mutable. That's the entire problem. When you pin to @v4 , you're trusting that the tag won't be moved to different code. That trust has no technical basis — GitHub doesn't prevent tag rewrites. The only thing stopping a maintainer (or an attacker who compromises one) from repointing your @v4 is nothing. SHA pinning is different: - uses : tj-actions/changed-files@a81bbbf8298c0fa03ea29cdc473d45aca646fdde3 That hash is immutable. No tag repoint chang

The tj-actions attack hit 23,000 repos. Your workflows are probably still vulnerable.

Related Articles

UVWATAUAVAWH, The Pushy String

15 Years of Forking (Waterfox)

The Steam Controller D0ggle Adventure

Mamba-UNet: UNet-Like Pure Visual Mamba for Medical Image Segmentation

telecheck and tyms past

Related Articles

News
UVWATAUAVAWH, The Pushy String
Lobsters • 1d ago

News
15 Years of Forking (Waterfox)
Lobsters • 2d ago

News
The Steam Controller D0ggle Adventure
Lobsters • 2d ago

News
Mamba-UNet: UNet-Like Pure Visual Mamba for Medical Image Segmentation
Dev.to • 2d ago

News
telecheck and tyms past
Lobsters • 2d ago