How Did a GitHub Action Compromise Impact Thousands of Repositories?

Article Highlights
Off On

A significant security incident has rocked the software development community, specifically targeting GitHub Actions. This breach, identified as CVE-2025-30066, was a supply chain attack affecting over 23,000 code repositories. At its core, this attack involved the GitHub Action known as tj-actions/changed-files, which enabled attackers to leak critical secrets like passwords from public repositories. The incident underscores the vulnerability of public repositories in the software supply chain and the importance of rigorous security practices.

The Attack Unveiled

The compromise began with malicious actors introducing a harmful commit into the popular tj-actions/changed-files GitHub Action. This commit contained a Node.js function with base64-encoded instructions that downloaded a malicious Python script. The script’s purpose was to scan the GitHub Runner’s memory, hunting for sensitive information such as passwords and other credentials crucial for CI/CD processes.

These secrets, found in GitHub Runner’s memory, were subsequently printed in the build logs of the compromised Action. Because these logs were publicly accessible, anyone with the right access could retrieve the exposed information. Varun Sharma of StepSecurity emphasized the ease with which these exposed secrets could be exploited if the logs were public. The ability to expose vital credentials made the attack particularly dangerous, affecting numerous public repositories and highlighting the significant flaw in the system’s design.

Discovering the Compromise

StepSecurity played a pivotal role in detecting the breach, tracing the malicious activity back to mid-March. Cybersecurity firm Sysdig supported these findings, unraveling how the Node.js function decoded the payload to fetch additional Python code from a GitHub gist. This code mapped the GitHub Runner’s memory, used regular expressions to search for credentials, and logged the extracted secrets. GitHub’s prompt response involved deactivating the compromised Action to prevent further data leaks.

The token allowed privileged access to targeted repositories, prompting repository maintainers to revoke the PAT, update the bot’s password, restrict permissions, and enforce passkey requirements. This chain of events highlighted the importance of securing personal access tokens, as their compromise can lead to extensive operational disruptions and sensitive data exposure.

Broad Impact on Repositories

Researchers from Wiz pointed out that the primary threat affected public repositories due to the accessibility of logs and secrets. Numerous repositories, including those of large organizations, had secrets such as AWS access keys and GitHub Personal Access Tokens compromised. This highlighted the wide-reaching impact and the vulnerability of public repositories to such attacks. The exposure of these credentials posed a significant risk since they could be used to gain unauthorized access to additional systems and data.

Dimitri Stiliadis from Endor Labs speculated that the attackers had broader motives than just accessing secrets. He suggested that the ultimate goal might have been to compromise the software supply chain for other open-source libraries and artifacts, posing a potential risk to thousands of packages involved in public repository CI pipelines. This aspect of the attack emphasizes the interconnected nature of software development repositories and the cascading effects a single compromise can have on the broader ecosystem.

Strengthening Security Measures

A significant security incident has sent shockwaves through the software development community, specifically targeting GitHub Actions. This breach, cataloged as CVE-2025-30066, was a supply chain attack impacting more than 23,000 code repositories. At the heart of this attack was the GitHub Action known as tj-actions/changed-files. This vulnerability allowed attackers to seamlessly leak critical secrets such as passwords from public repositories. This incident highlights the vulnerabilities public repositories face in the software supply chain and emphasizes the necessity of stringent security protocols.

The breach’s extent reveals that even widely trusted tools can harbor flaws, pointing to the growing need for developers and organizations to prioritize security at every level from development to deployment. Ensuring that security parameters are strictly enforced can help mitigate such risks. The software development community must take this incident as a wake-up call and adopt more rigorous measures to protect against similar threats in the future.

Explore more

Revolutionizing SaaS with Customer Experience Automation

Imagine a SaaS company struggling to keep up with a flood of customer inquiries, losing valuable clients due to delayed responses, and grappling with the challenge of personalizing interactions at scale. This scenario is all too common in today’s fast-paced digital landscape, where customer expectations for speed and tailored service are higher than ever, pushing businesses to adopt innovative solutions.

Trend Analysis: AI Personalization in Healthcare

Imagine a world where every patient interaction feels as though the healthcare system knows them personally—down to their favorite sports team or specific health needs—transforming a routine call into a moment of genuine connection that resonates deeply. This is no longer a distant dream but a reality shaped by artificial intelligence (AI) personalization in healthcare. As patient expectations soar for

Trend Analysis: Digital Banking Global Expansion

Imagine a world where accessing financial services is as simple as a tap on a smartphone, regardless of where someone lives or their economic background—digital banking is making this vision a reality at an unprecedented pace, disrupting traditional financial systems by prioritizing accessibility, efficiency, and innovation. This transformative force is reshaping how millions manage their money. In today’s tech-driven landscape,

Trend Analysis: AI-Driven Data Intelligence Solutions

In an era where data floods every corner of business operations, the ability to transform raw, chaotic information into actionable intelligence stands as a defining competitive edge for enterprises across industries. Artificial Intelligence (AI) has emerged as a revolutionary force, not merely processing data but redefining how businesses strategize, innovate, and respond to market shifts in real time. This analysis

What’s New and Timeless in B2B Marketing Strategies?

Imagine a world where every business decision hinges on a single click, yet the underlying reasons for that click have remained unchanged for decades, reflecting the enduring nature of human behavior in commerce. In B2B marketing, the landscape appears to evolve at breakneck speed with digital tools and data-driven tactics, but are these shifts as revolutionary as they seem? This