Securing Your Supply Chain: How RAD Security Detects the tj-actions/changed-files Attack

In the wake of the recent tj-actions/changed-files GitHub Action supply chain attack (CVE-2025-30066), security teams worldwide scrambled to assess their exposure and implement protective measures. The sophisticated attack compromised a widely-used GitHub Action with over 23,000 repositories affected, highlighting the critical importance of robust supply chain security.

At RAD Security, we've built our platform specifically to detect and prevent these types of attacks. Here's how our comprehensive security suite protects organizations from the tj-actions/changed-files compromise and similar supply chain threats.

Understanding the tj-actions/changed-files Attack

On March 12, 2025, attackers compromised the popular tj-actions/changed-files GitHub Action. This action, which identifies file changes in pull requests and commits, is a core component in many CI/CD pipelines. The compromise allowed attackers to:

• Exfiltrate sensitive repository data
• Harvest credentials and tokens
• Potentially inject malicious code into the software supply chain
• Execute remote code on CI/CD runners

The widespread use of this action across thousands of repositories made this a particularly dangerous attack, with potentially far-reaching consequences.

RAD Security's Multi-Layered Detection Approach

1. Continuous Container Image Analysis

RAD Security continuously scans container images throughout your environment, providing immediate alerts when compromised components are detected. For the tj-actions/changed-files attack:

• Our scanning engines detect suspicious code patterns injected by the compromised action
• ChainGuard™ technology validates image provenance and identifies supply chain irregularities
• Vulnerability correlation connects CVE-2025-30066 to affected images in your registry

# Sample detection output
IMAGE: github-runner:latest
FINDING: Supply Chain Compromise [CRITICAL]
DETAILS: Image contains GitHub Action tj-actions/changed-files@v41.0.1 
         (affected by CVE-2025-30066)
RECOMMENDATION: Rebuild with patched version or alternative action

2. Runtime Behavior Monitoring

The tj-actions/changed-files compromise exhibits specific behavioral patterns that RAD Security's runtime monitoring can detect:

• Unusual network connections to attacker-controlled domains
• Unexpected process execution patterns in CI/CD environments
• Credential access attempts outside normal workflow parameters
• Data exfiltration signatures specific to this attack

Our behavioral analysis engine establishes baselines of normal CI/CD operations and flags deviations that indicate compromise, stopping attacks in progress before they can spread.

3. Kubernetes Admission Controls

RAD Security's Admission Guard provides proactive protection by:

• Blocking deployments containing known compromised components
• Enforcing policies requiring pinned and verified GitHub Action versions
• Validating image signatures and provenance before admission
• Implementing least-privilege principles for CI/CD workloads

ADMISSION DENIED:

Resource: Deployment/github-runner

Reason: Image contains compromised GitHub Action (tj-actions/changed-files@v41.0.1)

Policy: supply-chain-integrity-check

4. Advanced Threat Detection

Our threat detection capabilities leverage multiple signals to identify compromise patterns:

• Correlation of GitHub workflow execution with unexpected network activity
• Detection of unusual permissions or identity usage during build processes
• Analysis of artifact integrity throughout the build pipeline
• Identification of suspicious API calls that may indicate credential abuse

Protection Beyond Detection

While detection is critical, RAD Security goes further with actionable remediation:

1. Automated Response: Configure automatic quarantine of affected workloads
2. Continuous Verification: Validate the integrity of your build process at every step
3. Software Bill of Materials (SBOM): Maintain comprehensive visibility into all components
4. Policy Enforcement: Implement guardrails to prevent using unvetted actions

Real-World Customer Success

A RAD Security customer in the financial sector recently experienced an attempted attack leveraging the compromised GitHub Action. Our platform detected unusual network connections from their CI environment within minutes of the compromise attempt, allowing their security team to:

• Block the exfiltration attempt
• Identify affected repositories
• Replace the compromised action with a secure alternative
• Verify no successful data theft occurred

The entire incident was contained before any sensitive data could be compromised, saving potentially millions in breach costs and regulatory penalties.

Recommended Actions

If you're concerned about exposure to the tj-actions/changed-files attack or similar supply chain compromises:

1. Immediate Assessment: Deploy RAD Security to scan your environment for indicators of compromise
2. CI/CD Hardening: Implement strict controls on GitHub Action usage with our policy engine
3. Runtime Protection: Enable continuous behavioral monitoring of build environments
4. Supply Chain Verification: Establish integrity checks throughout your deployment pipeline

Secure Smarter. Defend Faster. That’s RAD.

The tj-actions/changed-files attack represents a sophisticated evolution in supply chain attacks, targeting the very tools developers rely on to build secure software. With RAD Security's multi-layered approach to detection and protection, organizations can identify compromised components, detect exploitation attempts, and maintain the integrity of their software supply chain.

In an era where supply chain attacks are becoming increasingly common and sophisticated, RAD Security provides the comprehensive visibility and protection needed to build with confidence.

Want to see how RAD Security can protect your organization from supply chain attacks? Test Drive RAD today.