Filing a public issue instead of reporting this as a private vulnerability, since this malware is a publicly known and an urgent issue.

ruff uses a compromised version of tj-actions/changed-files. The compromised action appears to leak secrets the runner has in memory.

The action is included in: https://github.com/astral-sh/ruff/blob/main/.github/workflows/ci.yaml

Output of an affected run on ruff: https://github.com/astral-sh/ruff/actions/runs/13868731237/job/38812473949?pr=16641#step:3:113

Please review.

Learn about the compromise on StepSecurity of Semgrep.