GitHub Actions supply chain attack exposes secrets

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .

This week: A supply chain attack against GitHub Action triggers massive exposure of CI/CD secrets. Also: VSCode extensions were found downloading early-stage malware.??

This Week’s Top Story

GitHub Actions supply chain attack exposes secrets

Researchers at StepSecurity are warning of a supply chain attack against tj-actions/changed files GitHub Actions, which is used in more than 23,000 repositories. Researchers detected a malicious commit on March 14 that has resulted in a massive exposure of development secrets. These exposed secrets can now be abused by threat actors to launch further compromises.?

“This incident highlights the growing risks in software supply chains and the need for real time CI/CD security monitoring to detect and prevent such actions.” — Varun Sharma , CEO of StepSecurity

The malicious commit is being tracked as CVE-2025-30066, which allows remote attackers to discover secrets by reading action logs. Among the exposed continuous integration/continuous deployment (CI/CD) secrets are valid AWS access keys, GitHub personal access tokens, private RSA keys and other secrets.?

Researchers at Wiz later identified dozens of repositories affected by the incident, including those operated by large organizations. According to Wiz’s blog about the supply chain attack, researchers noted: “As of now, no external exfiltration of secrets to an attacker-controlled server were observed; secrets were only observable within the affected repositories themselves.”

The malicious commit has been resolved, but organizations must search for which of their software systems might have been using the malicious package. StepSecurity recommends that if an organization is using tj-actions/changed files, they stop using it immediately. Researchers have provided a free and secure drop-in replacement for organizations: step-security/changed-files.?

(Cybersecurity Dive)

This Week’s Headlines

VSCode extensions downloading early-stage ransomware

This week, researchers at ReversingLabs found two malicious VSCode Marketplace extensions deploying in-development ransomware. The extensions, ahban.shiba and ahban.cychelloworld, were downloaded seven and eight times, respectively, prior to being taken down from the marketplace. The extensions were uploaded to the store in October 2024 (ahban.cychelloworld) and February 2025 (ahban.shiba), and were able to bypass safety review processes, allowing them to reside on the marketplace for an extended period. RL researchers discovered that the extensions contain a PowerShell command that downloads and executes another PS script that acts as ransomware from a remote C2 server hosted on AWS. (BleepingComputer)

Linux Foundation's trust scorecards take on OSS threats

At the Linux Foundation Members Summit, the Foundation’s executive director Jim Zemlin proposed developing a decentralized trust system for open-source software (OSS) similar to the existing Open Source Security Foundation (OpenSSF)’s Scorecard. Zemlin believes that this would help users of OSS assess the trustworthiness of open-source projects based on factors like contributor verification and project history. This proposed system would also make it so that users need to earn levels of trust before they can become a maintainer of a project. Zemlin asserts that this system is now necessary because of the threat posed by malicious actors:

"Open-source is now a fundamental building block of all modern computing, and hackers are paying attention.” —Jim Zemlin, executive director of the Linux Foundation?

(ZDNet)

Development pipeline attacks expand risk exposure

RL’s 2025 Software Supply Chain Security Report found widespread flaws in open-source and third-party commercial software, along with malicious campaigns targeting AI development pipelines. The report found that incidents of exposed development secrets rose 12% last year. RL’s researchers also scanned more than two dozen widely used commercial-software binaries, and uncovered a range of problems, including exposed secrets, actively exploited software vulnerabilities, evidence of possible code tampering, and inadequate application hardening. (CSO)

Hackers exploit PHP flaw to deploy Quasar RAT and XMRig

Researchers at Bitdefender have discovered a new malicious campaign in which threat actors are exploiting a severe security flaw in PHP to deliver cryptocurrency miners and remote access trojans (RATs). The flaw, CVE-2024-4577, is an argument injection vulnerability found in PHP affecting Windows-based systems running in CGI mode, which could allow remote attackers to run arbitrary code on victims’ systems. Of the detected exploitations, 15% revolve around commands used for system reconnaissance, and roughly 5% exploited the flaw to deploy the XMRig cryptocurrency miner. (The Hacker News)

For more insights on software supply chain security, see the RL Blog.?

The Best of RL Blog

The changing face of open-source security

RL’s latest report found that instances of malware on open-source software repositories dropped in 2024 — but OSS risk is on the rise. Here’s what you need to know. [Read More]

EPSS is not foolproof: Shift your AppSec beyond vulnerabilities

The Exploit Prediction Scoring System is useful, but limited. Here's why your application security strategy needs an upgrade. [Read More]

CISO survey: 6 lessons to boost third-party cyber-risk management

Risk is rising across the software supply chain while visibility remains low, making TPCRM challenging. Here's what you need to know. [Read More]

RL Webinars

Webinar | The Year In Software Supply Chain Risk

Thursday, March 27 at 11am ET

Join RL’s director of editorial and content Paul F. Roberts and RL chief software architect and co-founder Tomislav Peri?in to discuss the findings of RL’s annual report, The 2025 Software Supply Chain Security Report. Aquia CEO Chris H. will also share his insights. [Save Your Seat]

For great conversations to watch, see RL’s on-demand webinar library.