doc: included reviewdog/action-setup@v1 compromise

yfolias · yfolias · commit c1a78a843d02 · 2025-10-08T11:12:28.000+01:00
Signed-off-by: Yannis Folias &lt;yannis.folias@gmail.com&gt;
diff --git a/community/catalog/compromises/2025/review-dog.md b/community/catalog/compromises/2025/review-dog.md
@@ -0,0 +1,29 @@
+# reviewdog/action-setup@v1 GitHub Action Compromise
+
+In March 2025, security researchers discovered that the reviewdog/action-setup@v1
+GitHub Action had been compromised. The attacker altered the v1 tag to point to a
+malicious commit between March 11 and later reverted it to conceal the compromise.
+Encoded payloads were embedded into the install.sh script and any running
+workflows using this Action would execute the malicious code. The code, when
+executed in CI pipelines, could dump workflow environment variables into logs,
+exposing them this way to anyone viewing the CI run.
+
+## Impact
+
+By redirecting the trusted @v1 tag to a malicious commit, the attacker caused
+workflows using this Action to execute injected code that printed environment
+variables and secrets into build logs. This could lead to the unintentional
+disclosure of access tokens, API keys, and credentials, particularly in public
+repositories where logs are accessible, undermining the confidentiality of
+automated build environments.
+
+## Type of Compromise
+
+This is a _Publishing Infrastructure_ type of compromise, as the attacker
+manipulated the Action's distributed version reference (Git tag) rather than its
+codebase or maintainer, abusing weaknesses in how automation components are
+published and trusted within GitHub's workflow ecosystem.
+
+## References
+
+- [New GitHub Action supply chain attack: reviewdog/action-setup](https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup)
diff --git a/community/catalog/compromises/README.md b/community/catalog/compromises/README.md
@@ -34,6 +34,7 @@ of compromise needs added, please include that as well.
 | [Red Hat Consulting GitLab Instance Breach](2025/rh-gitlab-instance.md) | 2025 | Publishing Infrastructure | [1](https://www.redhat.com/en/blog/security-update-incident-related-red-hat-consulting-gitlab-instance) |
 | [The Nx s1ngularity Attack Leading to Credentials Leak](2025/nx-platform.md) | 2025 | Attack Chaining | [1](https://www.kaspersky.com/blog/nx-build-s1ngularity-supply-chain-attack/54223/) |
 | [The GhostAction Github Workflow Injection](2025/ghost-action.md) | 2025 | Publishing Infrastructure | [1](https://blog.gitguardian.com/ghostaction-campaign-3-325-secrets-stolen/) |
+| [reviewdog/action-setup@v1 GitHub Action Compromise](2025/review-dog.md)| 2025 | Publishing Infrastructure | [1](https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup) |
 | [tj-actions/changed-files GitHub Action Compromise](2025/changed-files.md) | 2025 | Attack Chaining | [1](https://github.com/advisories/GHSA-mrrh-fwg8-r2c3/) |
 | [Solana Web3.js Code Injection](2024/solana_web3js.md) | 2024 | Social Engineering/Phishing Attack | [1](https://www.reversinglabs.com/blog/malware-found-in-solana-npm-library-with-50m-downloads) [2](https://x.com/0xMert_/status/1864069157257613719) |
 | [Polyfill.io Infrastructure Takeover Leading to Malware Distribution](2024/polyfill.md) | 2024 | Publishing Infrastructure | [1](https://sansec.io/research/polyfill-supply-chain-attack) |
