Filing a public issue instead of reporting this as a private vulnerability, since this malware is a publicly known and an urgent issue.

This repo uses a compromised version of tj-actions/changed-files. The compromised action leaks secrets the runner has in memory.

This run ids has creds leaked. Please rotate (if applicable) and delete the workflow run.
13864217887, 13864192408
eg: https://github.com/influxdata/telegraf/actions/runs/13864217887/job/38799581231#step:4:57

You can also use https://github.com/step-security/changed-files going forward.

Reference about this incident: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised