March 2026 monthly report: supply chain hardening, one year after tj-actions
It's been a year since CVE-2025-30066 (the tj-actions/changed-files compromise) and the XZ Utils backdoor (CVE-2024-3094) is two years old this month. Where supply-chain defence stands, what changed, and what most teams still haven't done.
Two anniversaries, one lesson
March 2026 marks two consequential anniversaries in software supply-chain security:
- One year ago (March 14, 2025): the
tj-actions/changed-filesGitHub Action was compromised - CVE-2025-30066. Every tag was force-updated to point at a malicious commit; thousands of CI runs exfiltrated their secrets to public workflow logs before detection. - Two years ago (March 29, 2024): Andres Freund disclosed the XZ Utils backdoor (CVE-2024-3094) - a multi-year social-engineering operation that planted a sshd-bypass in
liblzma, narrowly intercepted before it reached stable distributions.
The lesson keeps repeating: the maintainer is the threat surface.
The three case studies you should know
| Incident | CVE | Year | Pattern |
|---|---|---|---|
| tj-actions/changed-files | CVE-2025-30066 | 2025 | Maintainer token compromise + tag rewrite |
| XZ Utils backdoor | CVE-2024-3094 | 2024 | Long-cycle social engineering of OSS maintainer |
| ScreenConnect bypass | CVE-2024-1709 | 2024 | Vendor-distributed RMM as attack vector |
Tag-pinning is no longer a defence. The tj-actions compromise rewrote every tag to point at the malicious commit. Any workflow using @v1-style references inherited the malicious code immediately. The CISA recommendation is now: pin to commit SHA (40-character) for every third-party action.
CVE-2024-1709: ConnectWise ScreenConnect
In February 2024 ConnectWise disclosed CVE-2024-1709 - an authentication bypass in ScreenConnect (their RMM product) that allowed remote attackers to create an administrator account on unpatched servers. The CVE was mass-exploited within hours of disclosure; CISA added it to KEV the same week.
The ScreenConnect case sits between the tj-actions and XZ cases on the supply-chain spectrum: not a malicious-maintainer compromise, but a remote-administration tool whose compromise gives downstream access to every customer endpoint it manages. RMM products are part of your software supply chain whether you classify them that way or not.
The supply-chain defence stack
Pin third-party actions to commit SHA
Every uses: in your GitHub Actions workflows should reference a 40-character commit SHA, not a tag. Renovate, Dependabot, and GitHub's built-in Allowed actions policy can enforce this. The tj-actions compromise is the canonical reason.
SLSA Level 2+ for your own builds
The Supply-chain Levels for Software Artifacts (SLSA) framework defines a maturity ladder for build provenance. Level 2 (signed provenance) is the achievable target for most teams; Level 3 (hardened builds) is the goal.
Sigstore for artifact signing
Sigstore (sigstore.dev) provides keyless signing for container images, packages, and binaries via short-lived certificates. Open source, free, and the emerging consensus standard.
SBOM for every release
Software Bill of Materials in CycloneDX or SPDX format. Required by US Executive Order 14028 for federal procurement; an industry expectation for everyone else. Generate with Syft, validate with Grype.
RMM / IT-tool inventory
List every remote-management tool with access to your endpoints (ConnectWise, TeamViewer, AnyDesk, Kaseya). For each, confirm the vendor's CVE feed is in your monitoring stack. RMM products are first-class supply-chain risk.
Where the industry actually is
The XZ backdoor was the cybersecurity event of 2024 not because it succeeded - it didn't - but because it demonstrated that a sustained social-engineering campaign against an unpaid maintainer is a viable attack model. tj-actions repeated the lesson at lower cost a year later.
- Staatse monthly digest, Mar 2026
Key takeaways
- Pin every third-party GitHub Action to a 40-character commit SHA. Tag-pinning failed at scale on March 14, 2025.
- SLSA + Sigstore + SBOM is the emerging defence stack. Industry adoption is still under 50% on every metric - early adopters get the differentiation.
- RMM / IT-tool inventories are part of your supply chain. ConnectWise, TeamViewer, and similar require the same CVE-feed monitoring as any first-party dependency.
- The maintainer is the threat surface. Two-year social-engineering campaigns are now demonstrated and viable - your trust model for OSS components has to account for that.
Closing
For a structured review of your CI/CD supply-chain posture - GitHub Actions pinning, SLSA gaps, SBOM coverage, RMM inventory - our web application security service covers this scope. Get in touch.
References & further reading
- NVDCVE-2025-30066 - tj-actions/changed-files allows information disclosure
- Wiz ResearchGitHub Action tj-actions/changed-files supply chain attack: from CVE-2025-30066 to root cause
- NVDCVE-2024-3094 - XZ Utils malicious backdoor in upstream tarballs
- Red HatUrgent security alert for Fedora 41 and Rawhide users - CVE-2024-3094
- Andres FreundOriginal public disclosure of XZ backdoor (oss-security)
- NVDCVE-2024-1709 - ConnectWise ScreenConnect authentication bypass
- SLSA FrameworkSupply-chain Levels for Software Artifacts (SLSA)
- SigstoreSigstore - software signing for the masses
- CISASecuring the Software Supply Chain - Recommended Practices