A significant security incident has rocked the software development community, specifically targeting GitHub Actions. This breach, identified as CVE-2025-30066, was a supply chain attack affecting over 23,000 code repositories. At its core, this attack involved the GitHub Action known as tj-actions/changed-files, which enabled attackers to leak critical secrets like passwords from public repositories. The incident underscores the vulnerability of public repositories in the software supply chain and the importance of rigorous security practices.
The Attack Unveiled
The compromise began with malicious actors introducing a harmful commit into the popular tj-actions/changed-files GitHub Action. This commit contained a Node.js function with base64-encoded instructions that downloaded a malicious Python script. The script’s purpose was to scan the GitHub Runner’s memory, hunting for sensitive information such as passwords and other credentials crucial for CI/CD processes.
These secrets, found in GitHub Runner’s memory, were subsequently printed in the build logs of the compromised Action. Because these logs were publicly accessible, anyone with the right access could retrieve the exposed information. Varun Sharma of StepSecurity emphasized the ease with which these exposed secrets could be exploited if the logs were public. The ability to expose vital credentials made the attack particularly dangerous, affecting numerous public repositories and highlighting the significant flaw in the system’s design.
Discovering the Compromise
StepSecurity played a pivotal role in detecting the breach, tracing the malicious activity back to mid-March. Cybersecurity firm Sysdig supported these findings, unraveling how the Node.js function decoded the payload to fetch additional Python code from a GitHub gist. This code mapped the GitHub Runner’s memory, used regular expressions to search for credentials, and logged the extracted secrets. GitHub’s prompt response involved deactivating the compromised Action to prevent further data leaks.
The token allowed privileged access to targeted repositories, prompting repository maintainers to revoke the PAT, update the bot’s password, restrict permissions, and enforce passkey requirements. This chain of events highlighted the importance of securing personal access tokens, as their compromise can lead to extensive operational disruptions and sensitive data exposure.
Broad Impact on Repositories
Researchers from Wiz pointed out that the primary threat affected public repositories due to the accessibility of logs and secrets. Numerous repositories, including those of large organizations, had secrets such as AWS access keys and GitHub Personal Access Tokens compromised. This highlighted the wide-reaching impact and the vulnerability of public repositories to such attacks. The exposure of these credentials posed a significant risk since they could be used to gain unauthorized access to additional systems and data.
Dimitri Stiliadis from Endor Labs speculated that the attackers had broader motives than just accessing secrets. He suggested that the ultimate goal might have been to compromise the software supply chain for other open-source libraries and artifacts, posing a potential risk to thousands of packages involved in public repository CI pipelines. This aspect of the attack emphasizes the interconnected nature of software development repositories and the cascading effects a single compromise can have on the broader ecosystem.
Strengthening Security Measures
A significant security incident has sent shockwaves through the software development community, specifically targeting GitHub Actions. This breach, cataloged as CVE-2025-30066, was a supply chain attack impacting more than 23,000 code repositories. At the heart of this attack was the GitHub Action known as tj-actions/changed-files. This vulnerability allowed attackers to seamlessly leak critical secrets such as passwords from public repositories. This incident highlights the vulnerabilities public repositories face in the software supply chain and emphasizes the necessity of stringent security protocols.
The breach’s extent reveals that even widely trusted tools can harbor flaws, pointing to the growing need for developers and organizations to prioritize security at every level from development to deployment. Ensuring that security parameters are strictly enforced can help mitigate such risks. The software development community must take this incident as a wake-up call and adopt more rigorous measures to protect against similar threats in the future.