How Was a Popular GitHub Actions Utility Compromised by Hackers?

Article Highlights
Off On

The GitHub Actions utility tj-actions/changed-files, widely used by app developers, experienced a severe security incident on March 14, 2025, when it was infiltrated by hackers. These threat actors inserted a piece of malicious code into the utility, impacting numerous organizations and applications by stealing sensitive credentials. The incident shed light on the vulnerabilities within the CI/CD pipeline, especially affecting those who rely heavily on open source tools and repositories to manage their projects.

The Breach and Its Discovery

Researchers at StepSecurity detected the breach, identifying a malicious Python script embedded in the compromised versions of the utility, specifically up to version 45.0.7. This script had the capability to extract sensitive data such as API keys, access tokens, and passwords directly from CI/CD pipelines, posing a severe risk to affected applications. The compromised versions of tj-actions/changed-files were widely used in various repositories, making the scale of the breach significant and troubling.

In response to the discovery, GitHub swiftly issued an advisory numbered CVE-2025-30066 and took immediate action by pulling the compromised utility from access. This prompt response was crucial in mitigating further damage and initiating the remediation process for potentially affected entities. The affected community was urged to update their workflows and follow GitHub’s advisory to safeguard their systems. GitHub’s quick intervention played a vital role in containing the immediate threats posed by this breach.

Extent of the Impact

Endor Labs highlighted the extensive reach of the compromised utility, reporting that it was used in over 23,000 GitHub repositories. This level of infiltration placed thousands of CI pipelines at risk, underlining a substantial hit to the open source community. The ripple effects of the breach could be far-reaching, potentially compromising a multitude of open source projects and their dependencies.

Dimitri Stiliadis, CTO of Endor Labs, voiced concerns about the inconsistency of the damage. He suggested that hackers, by using the stolen credentials, might have infiltrated other open source repositories, thereby amplifying the risk and potential impact. The possibility of malware being inserted into other repositories or cloud-based services like Docker Hub indicated that the scope of the attack could extend beyond immediate observations. This raised alarms regarding the overall security of the open source ecosystem.

Urgent Measures and Mitigation

To address the potential impacts of the breach, infosec leaders were urged to take immediate actions such as auditing their GitHub logs for signs of suspicious IP addresses and rotating any secrets that may have been exposed during the breach. One critical recommendation was to pin all GitHub Actions to specific commit hashes rather than relying on version tags to prevent a similar supply chain attack in the future. This approach would strengthen the security of the CI/CD pipelines by ensuring that only verified and trusted code is executed.

In addition to these steps, leveraging GitHub’s allow-listing features to block unauthorized actions and configuring settings to trust only authenticated and verified actions were recommended. These measures would reduce the likelihood of unauthorized or compromised actions running in the CI/CD pipeline. Developers were advised to reassess their current CI/CD practices, making the necessary adjustments to safeguard against similar threats. Ensuring a robust security framework within the development pipeline was essential to mitigating future risks.

Insights from Industry Experts

Varun Sharma, CEO of StepSecurity, described the severity of the breach and praised his team for their vigilance in detecting the anomaly. Sharma noted unusual outbound network connections from the workflows using the compromised utility, which led them to uncover the threat. His firm then promptly alerted GitHub about their findings. Sharma recommended that both security and development teams review their workflows thoroughly for any usage of the compromised utility to mitigate risks.

One of his critical pieces of advice was to determine whether the compromised versions had been utilized in their CI/CD pipelines and to rotate any exposed credentials promptly. He also suggested either switching to more secure alternatives or upgrading to the patched version provided by GitHub. This incident significantly highlighted the efficiency of attacking software during its development phase, which has become a preferred tactic for threat actors seeking to penetrate multiple IT environments instead of targeting individual applications.

Historical Context of Supply Chain Attacks

On March 14, 2025, the GitHub Actions utility tj-actions/changed-files, popular among app developers, faced a serious security breach when it was hacked. The attackers injected malicious code into the utility, leading to the theft of sensitive credentials from many organizations and applications. This incident highlighted significant vulnerabilities within the CI/CD pipeline, drawing attention to the risks associated with relying on open source tools and repositories for project management. Developers and companies that use such utilities to streamline their workflows found themselves at risk, as the breach underscored the importance of rigorous security measures and continuous monitoring. The event acted as a wake-up call, emphasizing the need for enhanced protective strategies to safeguard against similar threats in the future and promoting a reevaluation of security practices within the software development community.

Explore more

Can AI Redefine C-Suite Leadership with Digital Avatars?

I’m thrilled to sit down with Ling-Yi Tsai, a renowned HRTech expert with decades of experience in leveraging technology to drive organizational change. Ling-Yi specializes in HR analytics and the integration of cutting-edge tools across recruitment, onboarding, and talent management. Today, we’re diving into a groundbreaking development in the AI space: the creation of an AI avatar of a CEO,

Cash App Pools Feature – Review

Imagine planning a group vacation with friends, only to face the hassle of tracking who paid for what, chasing down contributions, and dealing with multiple payment apps. This common frustration in managing shared expenses highlights a growing need for seamless, inclusive financial tools in today’s digital landscape. Cash App, a prominent player in the peer-to-peer payment space, has introduced its

Scowtt AI Customer Acquisition – Review

In an era where businesses grapple with the challenge of turning vast amounts of data into actionable revenue, the role of AI in customer acquisition has never been more critical. Imagine a platform that not only deciphers complex first-party data but also transforms it into predictable conversions with minimal human intervention. Scowtt, an AI-native customer acquisition tool, emerges as a

Hightouch Secures Funding to Revolutionize AI Marketing

Imagine a world where every marketing campaign speaks directly to an individual customer, adapting in real time to their preferences, behaviors, and needs, with outcomes so precise that engagement rates soar beyond traditional benchmarks. This is no longer a distant dream but a tangible reality being shaped by advancements in AI-driven marketing technology. Hightouch, a trailblazer in data and AI

How Does Collibra’s Acquisition Boost Data Governance?

In an era where data underpins every strategic decision, enterprises grapple with a staggering reality: nearly 90% of their data remains unstructured, locked away as untapped potential in emails, videos, and documents, often dubbed “dark data.” This vast reservoir holds critical insights that could redefine competitive edges, yet its complexity has long hindered effective governance, making Collibra’s recent acquisition of