Yeah maybe we can merge with <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=43367987">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=43367987</a>

@dang: The original URL (from Step Security, the company that discovered this flaw) is a better source for this:<a href="https:&#x2F;&#x2F;www.stepsecurity.io&#x2F;blog&#x2F;harden-runner-detection-tj-actions-changed-files-action-is-compromised" rel="nofollow">https:&#x2F;&#x2F;www.stepsecurity.io&#x2F;blog&#x2F;harden-runner-detection-tj-...</a>

We&#x27;ve recently released open-source tools that would have easily prevented this, before anything runs or added to any pipeline:1. The maintainers could have used PRevent to immediately alert and block any PR containing malicious code, or easily configured it for detection in case of a direct push: <a href="https:&#x2F;&#x2F;github.com&#x2F;apiiro&#x2F;PRevent" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;apiiro&#x2F;PRevent</a>2. Users could have used our malicious code detection ruleset to immediately detect and block it when scanning updates in all relevant CI&#x2F;CD stages: <a href="https:&#x2F;&#x2F;github.com&#x2F;apiiro&#x2F;malicious-code-ruleset" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;apiiro&#x2F;malicious-code-ruleset</a>3. For a better understanding of the detection, the malicious code falls precisely into the patterns presented in our research: <a href="https:&#x2F;&#x2F;apiiro.com&#x2F;blog&#x2F;guard-your-codebase-practical-steps-" rel="nofollow">https:&#x2F;&#x2F;apiiro.com&#x2F;blog&#x2F;guard-your-codebase-practical-steps-</a>...

hckrnws

Popular GitHub Action tj-actions/changed-files is compromised