The popular @ctrl/tinycolor package, which receives over 2 million weekly downloads, has been compromised along with more than 40 other packages across multiple maintainers. This attack demonstrates a concerning evolution in supply chain threats - the malware includes a self-propagating mechanism that automatically infects downstream packages, creating a cascading compromise across the ecosystem.
This article explores how AI coding agents (GitHub Copilot, Claude Code, etc.) operating in CI/CD environments introduce novel security risks that traditional EDR solutions can't detect. The key insight: these agents have elevated privileges to create branches, open PRs, and execute code based on natural language instructions - but organizations have zero visibility into what they're actually doing behind the scenes.
The post highlights real attack scenarios where agents can be manipulated through behavioral exploitation rather than direct compromise. For example, tricking an agent into generating subtle vulnerabilities in PRs that human reviewers might miss, or having them trigger malicious workflow runs through seemingly innocent issue comments.
Most interesting is the "context gap" problem - traditional security tools see low-level system calls but miss the AI decision chain that led to those actions. When an agent downloads from gist.githubusercontent.com, is it fetching legitimate dependencies or malicious code? Without CI/CD-aware monitoring, you can't tell.
The article is part of a series examining these risks and demonstrating runtime monitoring approaches specific to AI-powered development workflows.
Due to the ongoing security incident involving the tj-actions/changed-files Action, we at StepSecurity have provided a secure, drop-in replacement: step-security/changed-files.
Kudos for making this freely available, I was initially delighted to find out that there was a StepSecurity maintained alternative for the dorny/paths-filter action[1] as that seemed like a reasonable alternative to migrate to, but ended up being disappointed once I realized that it requires a subscription to use[2]
@kurmiashish - If you and team are willing share your version without requiring a Step Security subscription today or in the future, happy to archive our repo and redirect users to Step
Thanks again for your timely detection and reporting!
StepSecurity Harden-Runner detected this security incident by continuously monitoring outbound network calls from GitHub Actions workflows and generating a baseline of expected behaviors. When the compromised tj-actions/changed-files Action was executed, Harden-Runner flagged it due to an unexpected endpoint appearing in the network traffic—an anomaly that deviated from the established baseline. You can checkout the project here: https://github.com/step-security/harden-runner
The advertising in this article is making it actively difficult to figure out how to remediate this issue. The "recovery steps" section just says "start our 14 day free trial".
The security industry tolerates self-promotion only to the extent that the threat research benefits everyone.
Thank you, cyrnel, for the feedback! We are trying our best to help serve the community. Now, we have separate recovery steps for general users and our enterprise customers.
