The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning about an active exploitation of a vulnerability in the GitHub Action, tj-actions/changed-files, highlighting it as part of its Known Exploited Vulnerabilities (KEV) catalog. This high-severity flaw, formally identified as CVE-2025-30066, holds a CVSS score of 8.6. It allows remote attackers to inject malicious code into the GitHub Action, thereby potentially accessing sensitive data through action logs. Furthermore, the captured data can include AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys.
The Nature of the Threat
Initial Compromise and Propagation
Cloud security firm Wiz has identified the issue as potentially part of a broader, cascading supply chain attack. The initial compromise emanated from the reviewdog/action-setup@v1 GitHub Action, which was then utilized to infiltrate the tj-actions/changed-files. This breach, dating back to approximately March 11, involved the insertion of malicious code into the compromised reviewdog action. By March 14, the same malicious code had successfully breached the tj-actions/changed-files.
For this vulnerability to be strategically exploited, the attackers used a Base64-encoded payload in a file named install.sh. This payload facilitated the injection of the malicious code into CI/CD workflows, propagating the threat through the GitHub Actions ecosystem. The significant development here was not merely the breach but the adept handling of the payload to ensure it seamlessly infiltrated and compromised the intended repositories. This targeted action reveals a sophisticated understanding of CI/CD pipelines and their vulnerable nodes.
Impact and Immediate Risks
The compromised PAT of tj-actions allowed unauthorized modifications to the repository, amplifying the security risks. As a result, the infected actions posed critical threats, especially in terms of unauthorized access and potential data leaks. Consequently, CISA and other security agencies have recommended that users and federal agencies update the tj-actions/changed-files to version 46.0.1 by April 4.
Beyond simply updating, several other actions have been suggested to contain and mitigate these types of threats. Users are advised to replace the affected actions altogether and conduct rigorous audits of previous workflows to identify any suspicious activities. Additionally, rotating any potentially leaked secrets and pinning GitHub Actions to specific commit hashes, rather than relying on version tags, could greatly reduce the risk of future compromises.
Recommended Preventive Measures
Proactive Updating and Replacement
The urgency to update impacted versions of tj-actions/changed-files stems from the high-severity CVSS score and the multifaceted risks involved. By transitioning to version 46.0.1, users can remove the flawed versions while securing their repositories against potential exploits. However, it is also crucial to consider the replacement of affected actions as an additional layer of security. This measure serves as a robust preventive mechanism against similar discoveries and ensures the sanctity of CI/CD pipelines in the future.
In parallel, conducting thorough audits of previous workflows cannot be overemphasized. Such audits can help pinpoint other potential vulnerabilities that might have been introduced by the compromised actions. Careful scrutiny of all logs and history from the reviewdog/action-setup@v1 and tj-actions/changed-files will assist in tracing any questionable activities. Identifying issues at this juncture ensures long-term security, and a repeat of similar breaches can be prevented.
Rotating Secrets and Secure Hashing
Another proactive step involves the rotation of any secrets that may have been leaked due to this breach. Such secrets might include AWS access keys, GitHub PATs, npm tokens, and private RSA keys. Timely rotation of these secrets will contain the damage and secure sensitive data from being compromised in future attacks. Furthermore, the adoption of automated mechanisms for regular secret rotation can build a resilient defense against potential exploitation.
Moreover, it is advised to pin GitHub Actions to specific commit hashes rather than rely on version tags. This practice binds the CI/CD workflows to verified versions of actions, ensuring that the setup uses only the intended code. Commit hashes provide a higher level of certainty, reducing the risk of unintentionally running compromised code due to flawed versions. This ensures tighter control over the code executed within CI/CD workflows.
Final Thoughts
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently issued an urgent alert regarding an ongoing exploitation of a critical vulnerability in the GitHub Action, tj-actions/changed-files. This issue has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to its high severity. Labeled as CVE-2025-30066, the flaw carries a CVSS score of 8.6, indicating significant risk. This vulnerability permits remote attackers to inject malicious code into the GitHub Action, potentially granting access to sensitive data captured through action logs. The compromised data might include AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys. As a result, organizations using this GitHub Action are strongly encouraged to review and update their security measures to mitigate possible data breaches and safeguard their digital assets. Enhanced vigilance and prompt actions are imperative to combat this threat effectively.