On August 4, 2025, the AWS GitHub Action `configure-aws-credentials` had its v4.3.0 release tag deleted and recreated pointing to a different commit after a critical bug was discovered. StepSecurity's Artifact Monitor flagged this tag movement within minutes as suspicious — the same pattern used in real supply chain attacks like the tj-actions and reviewdog compromises in March 2025. The post explains the timeline of the AWS incident, why moving tags are treated as red flags, and how automated monitoring of release tags is essential for CI/CD security. Key recommendations include treating unexpected tag changes as urgent incidents, pinning actions to immutable commit SHAs, and investing in automated release monitoring tools.
Table of contents
What Happened: Tag v4.3.0 Created, Unreleased, and RecreatedWhy Tag Movements Are Rare Red Flags and When They’re MaliciousAutomatic Detection by StepSecurity’s Artifact MonitorConclusion: Monitor Your Releases and Stay Ahead of ThreatsSort: