Widening impact assessment
The tj-actions developers had previously reported they could not determine exactly how attackers gained access to their GitHub personal access token. This new finding from Wiz provides the missing link, suggesting that the initial reviewdog compromise was the first domino in this cascading attack chain.
Beyond the confirmed compromise of reviewdog/action-setup@v1, the investigation has revealed several other potentially impacted actions from the same developer. These include reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos. The full extent of the compromise across these tools remains under investigation.
While GitHub and reviewdog maintainers have implemented fixes, you should be aware that if any compromised actions remain in use, a repeat attack targeting “tj-actions/changed-files” could still occur — especially if exposed secrets are not rotated.
