How Did a GitHub Action Compromise Impact Thousands of Repositories?

Article Highlights
Off On

A significant security incident has rocked the software development community, specifically targeting GitHub Actions. This breach, identified as CVE-2025-30066, was a supply chain attack affecting over 23,000 code repositories. At its core, this attack involved the GitHub Action known as tj-actions/changed-files, which enabled attackers to leak critical secrets like passwords from public repositories. The incident underscores the vulnerability of public repositories in the software supply chain and the importance of rigorous security practices.

The Attack Unveiled

The compromise began with malicious actors introducing a harmful commit into the popular tj-actions/changed-files GitHub Action. This commit contained a Node.js function with base64-encoded instructions that downloaded a malicious Python script. The script’s purpose was to scan the GitHub Runner’s memory, hunting for sensitive information such as passwords and other credentials crucial for CI/CD processes.

These secrets, found in GitHub Runner’s memory, were subsequently printed in the build logs of the compromised Action. Because these logs were publicly accessible, anyone with the right access could retrieve the exposed information. Varun Sharma of StepSecurity emphasized the ease with which these exposed secrets could be exploited if the logs were public. The ability to expose vital credentials made the attack particularly dangerous, affecting numerous public repositories and highlighting the significant flaw in the system’s design.

Discovering the Compromise

StepSecurity played a pivotal role in detecting the breach, tracing the malicious activity back to mid-March. Cybersecurity firm Sysdig supported these findings, unraveling how the Node.js function decoded the payload to fetch additional Python code from a GitHub gist. This code mapped the GitHub Runner’s memory, used regular expressions to search for credentials, and logged the extracted secrets. GitHub’s prompt response involved deactivating the compromised Action to prevent further data leaks.

The token allowed privileged access to targeted repositories, prompting repository maintainers to revoke the PAT, update the bot’s password, restrict permissions, and enforce passkey requirements. This chain of events highlighted the importance of securing personal access tokens, as their compromise can lead to extensive operational disruptions and sensitive data exposure.

Broad Impact on Repositories

Researchers from Wiz pointed out that the primary threat affected public repositories due to the accessibility of logs and secrets. Numerous repositories, including those of large organizations, had secrets such as AWS access keys and GitHub Personal Access Tokens compromised. This highlighted the wide-reaching impact and the vulnerability of public repositories to such attacks. The exposure of these credentials posed a significant risk since they could be used to gain unauthorized access to additional systems and data.

Dimitri Stiliadis from Endor Labs speculated that the attackers had broader motives than just accessing secrets. He suggested that the ultimate goal might have been to compromise the software supply chain for other open-source libraries and artifacts, posing a potential risk to thousands of packages involved in public repository CI pipelines. This aspect of the attack emphasizes the interconnected nature of software development repositories and the cascading effects a single compromise can have on the broader ecosystem.

Strengthening Security Measures

A significant security incident has sent shockwaves through the software development community, specifically targeting GitHub Actions. This breach, cataloged as CVE-2025-30066, was a supply chain attack impacting more than 23,000 code repositories. At the heart of this attack was the GitHub Action known as tj-actions/changed-files. This vulnerability allowed attackers to seamlessly leak critical secrets such as passwords from public repositories. This incident highlights the vulnerabilities public repositories face in the software supply chain and emphasizes the necessity of stringent security protocols.

The breach’s extent reveals that even widely trusted tools can harbor flaws, pointing to the growing need for developers and organizations to prioritize security at every level from development to deployment. Ensuring that security parameters are strictly enforced can help mitigate such risks. The software development community must take this incident as a wake-up call and adopt more rigorous measures to protect against similar threats in the future.

Explore more

Business Central Mobile Apps Transform Operations On-the-Go

In an era where business agility defines success, the ability to manage operations from any location has become a critical advantage for companies striving to stay ahead of the curve, and Microsoft Dynamics 365 Business Central mobile apps are at the forefront of this shift. These apps redefine how organizations handle essential tasks like finance, sales, and inventory management by

Transparency Key to Solving D365 Pricing Challenges

Understanding the Dynamics 365 Landscape Imagine a business world where operational efficiency hinges on a single, powerful tool, yet many enterprises struggle to harness its full potential due to unforeseen hurdles. Microsoft Dynamics 365 (D365), a leading enterprise resource planning (ERP) and customer relationship management (CRM) solution, stands as a cornerstone for medium to large organizations aiming to integrate and

Generative AI Transforms Finance with Automation and Strategy

This how-to guide aims to equip finance professionals, particularly chief financial officers (CFOs) and their teams, with actionable insights on leveraging generative AI to revolutionize their operations. By following the steps outlined, readers will learn how to automate routine tasks, enhance strategic decision-making, and position their organizations for competitive advantage in a rapidly evolving industry. The purpose of this guide

How Is Tech Revolutionizing Traditional Payroll Systems?

In an era where adaptability defines business success, the payroll landscape is experiencing a profound transformation driven by technological innovation, reshaping how companies manage compensation. For decades, businesses relied on rigid monthly or weekly pay cycles that often failed to align with the diverse needs of employees or the dynamic nature of modern enterprises. Today, however, a wave of cutting-edge

Why Is Employee Career Development a Business Imperative?

Setting the Stage for a Critical Business Priority Imagine a workplace where top talent consistently leaves for better opportunities, costing millions in turnover while productivity stagnates due to outdated skills. This scenario is not a distant possibility but a reality for many organizations that overlook employee career development. In an era of rapid technological change and fierce competition for skilled