How an AWS release rollback triggered the same red flags as a supply chain attack — and why treating every tag movement as suspicious is key to protecting your CI/CD pipelines

StepSecurity

On August 4, 2025, the AWS GitHub Action `configure-aws-credentials` had its v4.3.0 release tag deleted and recreated pointing to a different commit after a critical bug was discovered. StepSecurity's Artifact Monitor flagged this tag movement within minutes as suspicious — the same pattern used in real supply chain attacks like the tj-actions and reviewdog compromises in March 2025. The post explains the timeline of the AWS incident, why moving tags are treated as red flags, and how automated monitoring of release tags is essential for CI/CD security. Key recommendations include treating unexpected tag changes as urgent incidents, pinning actions to immutable commit SHAs, and investing in automated release monitoring tools.

Suspicious Tag Movement in AWS’s GitHub Action: What Happened and Why It Matters

What Happened: Tag v4.3.0 Created, Unreleased, and Recreated

Why Tag Movements Are Rare Red Flags and When They’re Malicious

Automatic Detection by StepSecurity’s Artifact Monitor

Conclusion: Monitor Your Releases and Stay Ahead of Threats