CI/CD Pipeline Attack Exploits Version Tags

An attacker compromised a personal access token for the tj-actions/changed-files GitHub Action on March 14, 2025, pushing malicious code under a trusted version tag. The action is used by over 23,000 repositories. The attack breaks the assumption that version tags point to unchanged code.