BSidesPDX-2025

In March 2025, the tj-actions/changed-files GitHub Action, which is used by 24,000 repositories, was weaponized to steal CI/CD secrets. All 361 version tags were pointed to malicious code that dumped credentials from memory directly into build logs. We were the first responders.

Come hear the untold story of the 72-hour incident response. You'll learn how we detected an attack that traditional tools missed, built an IOC scanner over a weekend while the attack was live, and coordinated disclosure with dozens of organizations.

You'll walk away with:
- A tested incident response playbook you can adapt for your organization
- Open-source tools: harden-runner (behavioral monitoring) and ghscan (IOC scanning)
- Practical defenses for resilience against similar attacks