On March 19, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified a vulnerability associated with the supply chain compromise of the GitHub Action, tj-actions/changed-files. This vulnerability, known as CVE-2025-30066 with a CVSS score of 8.6, allows remote attackers to access sensitive data via actions logs by injecting malicious code into the GitHub Action.
The compromised GitHub Action contained a flaw that enabled attackers to discover secrets stored in actions logs, including AWS access keys, GitHub personal access tokens, npm tokens, and private RSA keys. Cloud security company Wiz uncovered that this attack may have been part of a cascading supply chain compromise, with threat actors first compromising the reviewdog/action-setup@v1 GitHub Action to infiltrate tj-actions/changed-files.
The attack occurred on March 11, 2025, with the tj-actions/changed-files repository being breached before March 14. The infected reviewdog action was used to insert a Base64-encoded payload into CI/CD workflows, exposing secrets from repositories running the workflow in logs. The maintainers of tj-actions attributed the attack to a compromised Github Personal Access Token (PAT) that allowed unauthorized modification of the repository with malicious code.
In response to the compromise, affected users and federal agencies are urged to update to the latest version of tj-actions/changed-files (46.0.1) by April 4, 2025, to mitigate active threats. Additionally, users are advised to audit past workflows for suspicious activity, rotate any leaked secrets, and pin all GitHub Actions to specific commit hashes instead of version tags to prevent similar incidents in the future.
Source link