2025-10-25 –, Talk 1
In March 2025, the tj-actions/changed-files GitHub Action, which is used by 24,000 repositories, was weaponized to steal CI/CD secrets. All 361 version tags were pointed to malicious code that dumped credentials from memory directly into build logs. We were the first responders.
Come hear the untold story of the 72-hour incident response. You'll learn how we detected an attack that traditional tools missed, built an IOC scanner over a weekend while the attack was live, and coordinated disclosure with dozens of organizations.
You'll walk away with:
- A tested incident response playbook you can adapt for your organization
- Open-source tools: harden-runner (behavioral monitoring) and ghscan (IOC scanning)
- Practical defenses for resilience against similar attacks
Talk Outline
The Alert
- March 14, 1:01 PM: harden-runner's behavioral monitoring detects anomaly
- Quick realization of scope: 24,000 affected repositories
- Ashish and Mark were first responders to attack
The Attack
- Attack masqueraded as renovate[bot] with commit 0e58ed8
- All 361 version tags redirected to malicious commit
- Memory scraping exfiltrated secrets to action logs
- Brief demo: What the malicious base64 logs looked like
Initial Response
Friday: Detection & Triage
- March 14, 22:20 UTC: StepSecurity reports compromise
- Internal and external response of orgs
Saturday: Emergency Engineering
- Creating tj-scan/ghscan from scratch (live code snippet)
- Scanning results reveal : 233 system.github.tokens, 151 github_tokens compromised
- Discovering cloud.gov, CISA, and other government credentials leaked
Sunday: Disclosure Coordination
- Managing disclosure to 50+ organizations with leaked credentials
- Reporting government credentials to CISA
What Actually Helped
Quick Wins
- Demo: How harden-runner detected the attack
- Demo: Using ghscan to check for similar compromises
- Action pinning that doesn't break your workflows
Longer-term Improvements
- Migrating from static secrets to OIDC
- Setting up runtime monitoring
- Config changes that made the biggest difference
Resource
- Links to tools and response playbook (QR code)
- Open invitation for questions and help
Mark Esler works on software supply chain security, vulnerability disclosure, and system hardening.
Ashish Kurmi is the CTO and co-founder of StepSecurity, a cybersecurity startup securing CI/CD pipelines against supply chain attacks. Before StepSecurity, he was with Microsoft Corporation, Uber Technologies, and Plaid Inc. in security leadership roles. He primarily worked with software developers at these companies to understand their security pain points and built security systems to remediate security issues at scale. He has 15 years of experience in security and software engineering.
Ashish has previously spoken at several conferences such as BlackHat USA, (ISC)2 Security Congress, and Open Source 101.