Reviewdog Actions Supply Chain Attack Vulnerability

A supply chain attack has been identified in the GitHub Action 'reviewdog/action-setup@v1', which was compromised on March 11, 2025, between 18:42 and 20:31 UTC. During this time, malicious code was introduced that extracted and dumped exposed secrets from the GitHub Actions workflow environment into the workflow logs. This vulnerability also affects other reviewdog actions that depend on 'reviewdog/action-setup@v1', including 'reviewdog/action-shellcheck', 'reviewdog/action-composite-template', 'reviewdog/action-staticcheck', 'reviewdog/action-ast-grep', and 'reviewdog/action-typos'. The compromised code has been removed, but the incident has raised concerns about the potential for re-exploitation, particularly of 'reviewdog/action-shellcheck', which is widely used.

Impact

The vulnerability led to the injection of malicious code into workflows using the compromised action, causing repositories to leak their secrets in the workflow logs. This exposure was particularly concerning for public repositories, where the leaked secrets were visible to everyone.

Reproduction

The vulnerability was introduced when the 'reviewdog/action-setup@v1' GitHub Action was updated to point to a malicious commit that added code to the 'install.sh' script. This malicious code encoded the CI runner's memory, including workflow secrets, and directly inserted it into the workflow logs. The compromise was possible because the reviewdog organization had a large contributor base, increasing the risk of a contributor's access being compromised.

Remediation

Users are advised to stop using the impacted actions immediately, remove all references to them across all branches of their repositories, and rotate any leaked secrets as soon as possible.