The fallout from the malicious tj-actions/changed-files is still being investigated. It is fortunate that this malicious commit was identified fairly quickly, as further compromise of major OSS components and projects could lead to a kind of chain reaction.
- https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
- https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
Edited 14h ago
