How Did a GitHub Action Compromise Impact Thousands of Repositories?

Article Highlights
Off On

A significant security incident has rocked the software development community, specifically targeting GitHub Actions. This breach, identified as CVE-2025-30066, was a supply chain attack affecting over 23,000 code repositories. At its core, this attack involved the GitHub Action known as tj-actions/changed-files, which enabled attackers to leak critical secrets like passwords from public repositories. The incident underscores the vulnerability of public repositories in the software supply chain and the importance of rigorous security practices.

The Attack Unveiled

The compromise began with malicious actors introducing a harmful commit into the popular tj-actions/changed-files GitHub Action. This commit contained a Node.js function with base64-encoded instructions that downloaded a malicious Python script. The script’s purpose was to scan the GitHub Runner’s memory, hunting for sensitive information such as passwords and other credentials crucial for CI/CD processes.

These secrets, found in GitHub Runner’s memory, were subsequently printed in the build logs of the compromised Action. Because these logs were publicly accessible, anyone with the right access could retrieve the exposed information. Varun Sharma of StepSecurity emphasized the ease with which these exposed secrets could be exploited if the logs were public. The ability to expose vital credentials made the attack particularly dangerous, affecting numerous public repositories and highlighting the significant flaw in the system’s design.

Discovering the Compromise

StepSecurity played a pivotal role in detecting the breach, tracing the malicious activity back to mid-March. Cybersecurity firm Sysdig supported these findings, unraveling how the Node.js function decoded the payload to fetch additional Python code from a GitHub gist. This code mapped the GitHub Runner’s memory, used regular expressions to search for credentials, and logged the extracted secrets. GitHub’s prompt response involved deactivating the compromised Action to prevent further data leaks.

The token allowed privileged access to targeted repositories, prompting repository maintainers to revoke the PAT, update the bot’s password, restrict permissions, and enforce passkey requirements. This chain of events highlighted the importance of securing personal access tokens, as their compromise can lead to extensive operational disruptions and sensitive data exposure.

Broad Impact on Repositories

Researchers from Wiz pointed out that the primary threat affected public repositories due to the accessibility of logs and secrets. Numerous repositories, including those of large organizations, had secrets such as AWS access keys and GitHub Personal Access Tokens compromised. This highlighted the wide-reaching impact and the vulnerability of public repositories to such attacks. The exposure of these credentials posed a significant risk since they could be used to gain unauthorized access to additional systems and data.

Dimitri Stiliadis from Endor Labs speculated that the attackers had broader motives than just accessing secrets. He suggested that the ultimate goal might have been to compromise the software supply chain for other open-source libraries and artifacts, posing a potential risk to thousands of packages involved in public repository CI pipelines. This aspect of the attack emphasizes the interconnected nature of software development repositories and the cascading effects a single compromise can have on the broader ecosystem.

Strengthening Security Measures

A significant security incident has sent shockwaves through the software development community, specifically targeting GitHub Actions. This breach, cataloged as CVE-2025-30066, was a supply chain attack impacting more than 23,000 code repositories. At the heart of this attack was the GitHub Action known as tj-actions/changed-files. This vulnerability allowed attackers to seamlessly leak critical secrets such as passwords from public repositories. This incident highlights the vulnerabilities public repositories face in the software supply chain and emphasizes the necessity of stringent security protocols.

The breach’s extent reveals that even widely trusted tools can harbor flaws, pointing to the growing need for developers and organizations to prioritize security at every level from development to deployment. Ensuring that security parameters are strictly enforced can help mitigate such risks. The software development community must take this incident as a wake-up call and adopt more rigorous measures to protect against similar threats in the future.

Explore more

VodafoneThree Drives 5G Innovation With Network Automation

The rapid expansion of 5G Standalone infrastructure across the United Kingdom has necessitated a fundamental shift in how telecommunications giants manage the increasing complexity of modern cellular traffic. As VodafoneThree consolidates its dominant market position throughout 2026, the implementation of sophisticated network automation tools has transitioned from a competitive advantage to an absolute operational necessity. By moving away from legacy

Vulnerable Microsoft-Signed Shims Allow Secure Boot Bypass

The fundamental promise of UEFI Secure Boot relies on a chain of trust that ensures only verified, cryptographically signed code executes during the critical early stages of a computer’s power-on sequence. When this chain is compromised, the entire security foundation of a modern computing environment is placed at significant risk. Recent discoveries have highlighted vulnerabilities within several versions of the

How Do You Move Your GP General Ledger to Business Central?

The familiar rhythm of month-end procedures in Microsoft Dynamics GP has provided a reliable sanctuary for finance departments for decades, but that comfort is rapidly vanishing as the cloud transition becomes mandatory. For years, the legacy platform served as a fortress of stability, anchoring the financial operations of thousands of organizations through economic shifts and regulatory changes. However, the landscape

How Does Copilot Drive Real ROI in Dynamics 365?

Beyond the Hype: The Evolution of Copilot into a Standard Business Engine Modern business leaders are no longer asking if artificial intelligence works but are instead demanding granular proof that these sophisticated algorithms can actually generate a measurable impact on the quarterly balance sheet. Microsoft Copilot has transitioned rapidly from an experimental AI curiosity to a foundational element of the

Microsoft Business Central 2026 Wave 1 Boosts ERP Efficiency

As the enterprise landscape evolves, the upcoming Microsoft Business Central 2026 Release Wave 1 marks a significant shift toward deeper automation and more fluid system integrations. Dominic Jainy, an IT expert with a sharp focus on how emerging technologies like machine learning and blockchain intersect with business logic, provides a comprehensive look at these upcoming changes. This discussion explores the