How Did a GitHub Action Compromise Impact Thousands of Repositories?

Article Highlights
Off On

A significant security incident has rocked the software development community, specifically targeting GitHub Actions. This breach, identified as CVE-2025-30066, was a supply chain attack affecting over 23,000 code repositories. At its core, this attack involved the GitHub Action known as tj-actions/changed-files, which enabled attackers to leak critical secrets like passwords from public repositories. The incident underscores the vulnerability of public repositories in the software supply chain and the importance of rigorous security practices.

The Attack Unveiled

The compromise began with malicious actors introducing a harmful commit into the popular tj-actions/changed-files GitHub Action. This commit contained a Node.js function with base64-encoded instructions that downloaded a malicious Python script. The script’s purpose was to scan the GitHub Runner’s memory, hunting for sensitive information such as passwords and other credentials crucial for CI/CD processes.

These secrets, found in GitHub Runner’s memory, were subsequently printed in the build logs of the compromised Action. Because these logs were publicly accessible, anyone with the right access could retrieve the exposed information. Varun Sharma of StepSecurity emphasized the ease with which these exposed secrets could be exploited if the logs were public. The ability to expose vital credentials made the attack particularly dangerous, affecting numerous public repositories and highlighting the significant flaw in the system’s design.

Discovering the Compromise

StepSecurity played a pivotal role in detecting the breach, tracing the malicious activity back to mid-March. Cybersecurity firm Sysdig supported these findings, unraveling how the Node.js function decoded the payload to fetch additional Python code from a GitHub gist. This code mapped the GitHub Runner’s memory, used regular expressions to search for credentials, and logged the extracted secrets. GitHub’s prompt response involved deactivating the compromised Action to prevent further data leaks.

The token allowed privileged access to targeted repositories, prompting repository maintainers to revoke the PAT, update the bot’s password, restrict permissions, and enforce passkey requirements. This chain of events highlighted the importance of securing personal access tokens, as their compromise can lead to extensive operational disruptions and sensitive data exposure.

Broad Impact on Repositories

Researchers from Wiz pointed out that the primary threat affected public repositories due to the accessibility of logs and secrets. Numerous repositories, including those of large organizations, had secrets such as AWS access keys and GitHub Personal Access Tokens compromised. This highlighted the wide-reaching impact and the vulnerability of public repositories to such attacks. The exposure of these credentials posed a significant risk since they could be used to gain unauthorized access to additional systems and data.

Dimitri Stiliadis from Endor Labs speculated that the attackers had broader motives than just accessing secrets. He suggested that the ultimate goal might have been to compromise the software supply chain for other open-source libraries and artifacts, posing a potential risk to thousands of packages involved in public repository CI pipelines. This aspect of the attack emphasizes the interconnected nature of software development repositories and the cascading effects a single compromise can have on the broader ecosystem.

Strengthening Security Measures

A significant security incident has sent shockwaves through the software development community, specifically targeting GitHub Actions. This breach, cataloged as CVE-2025-30066, was a supply chain attack impacting more than 23,000 code repositories. At the heart of this attack was the GitHub Action known as tj-actions/changed-files. This vulnerability allowed attackers to seamlessly leak critical secrets such as passwords from public repositories. This incident highlights the vulnerabilities public repositories face in the software supply chain and emphasizes the necessity of stringent security protocols.

The breach’s extent reveals that even widely trusted tools can harbor flaws, pointing to the growing need for developers and organizations to prioritize security at every level from development to deployment. Ensuring that security parameters are strictly enforced can help mitigate such risks. The software development community must take this incident as a wake-up call and adopt more rigorous measures to protect against similar threats in the future.

Explore more

How Is Fake Financial SDK Malware Targeting Developers?

In the fast-evolving landscape of digital finance, the security of the software supply chain has become a primary battlefield where the trust between developers and open-source ecosystems is frequently tested. Dominic Jainy, an IT professional specializing in artificial intelligence, machine learning, and blockchain, brings a unique perspective to this struggle, having spent years analyzing how emerging technologies are both leveraged

How to Avoid 7 Dynamics NAV to Business Central Mistakes?

The transition from an established on-premises environment to a cloud-based architecture represents one of the most significant technological shifts an enterprise can undertake in the current business landscape. Moving away from the familiar confines of Dynamics NAV toward the modern, AI-integrated capabilities of Business Central requires more than a simple file transfer or a software update. It is a fundamental

Will the 600 MP Oppo Find X10 Pro Max Win the Megapixel War?

A New Frontier in Smartphone Photography The global technology landscape stands at a critical juncture where the hardware limitations of mobile devices are being shattered by a staggering surge in optical resolution. With the impending release of the Oppo Find X10 Pro Max, rumors regarding a 600-megapixel Hasselblad camera system are signaling a massive leap toward studio-quality mobile hardware. By

How Will the CREST AI Charter Shape Cybersecurity Ethics?

The rapid acceleration of artificial intelligence within the global digital landscape has forced a fundamental recalculation of how defensive technologies are governed and deployed by security firms across the world. With nearly 70% of cybersecurity providers now integrating machine learning into their daily operations, the industry has reached a critical tipping point where innovation often moves faster than oversight. On

Institutional Shifts Define the 2026 Crypto Investment Era

The traditional demarcation between decentralized finance and the established global banking infrastructure has nearly vanished as of mid-2026, giving rise to a unified financial ecosystem where institutional confidence serves as the primary engine for market stability and sustained growth. This structural transformation has effectively moved the digital asset landscape beyond its early speculative roots, evolving instead into a highly sophisticated