The tj-actions developers had previously reported they could not determine exactly how attackers gained access to their GitHub personal access token. This new finding from Wiz provides the missing link, suggesting that the initial reviewdog compromise was the first domino in this cascading attack chain.

Beyond the confirmed compromise of reviewdog/action-setup@v1, the investigation has revealed several other potentially impacted actions from the same developer. These include reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos. The full extent of the compromise across these tools remains under investigation.

While GitHub and reviewdog maintainers have implemented fixes, Wiz warns that if any compromised actions remain in use, a repeat attack targeting “tj-actions/changed-files” could still occur — especially if exposed secrets are not rotated.