Compromised SpotBugs token led to GitHub Actions supply chain hack

Threat actors used a personal access token (PAT) compromised in December 2024 to mount the March 2025 supply chain attack targeting GitHub Actions, Palo Alto Networks reports.

On March 14, the code of the tj-actions/changed-files GitHub action was altered to execute malicious code that would dump CI/CD secrets to build logs, likely in preparation of further attacks.

Read more at Security Week