Is Your CI/CD Pipeline Secure Against GitHub Action Exploits?

Article Highlights
Off On

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning about an active exploitation of a vulnerability in the GitHub Action, tj-actions/changed-files, highlighting it as part of its Known Exploited Vulnerabilities (KEV) catalog. This high-severity flaw, formally identified as CVE-2025-30066, holds a CVSS score of 8.6. It allows remote attackers to inject malicious code into the GitHub Action, thereby potentially accessing sensitive data through action logs. Furthermore, the captured data can include AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys.

The Nature of the Threat

Initial Compromise and Propagation

Cloud security firm Wiz has identified the issue as potentially part of a broader, cascading supply chain attack. The initial compromise emanated from the reviewdog/action-setup@v1 GitHub Action, which was then utilized to infiltrate the tj-actions/changed-files. This breach, dating back to approximately March 11, involved the insertion of malicious code into the compromised reviewdog action. By March 14, the same malicious code had successfully breached the tj-actions/changed-files.

For this vulnerability to be strategically exploited, the attackers used a Base64-encoded payload in a file named install.sh. This payload facilitated the injection of the malicious code into CI/CD workflows, propagating the threat through the GitHub Actions ecosystem. The significant development here was not merely the breach but the adept handling of the payload to ensure it seamlessly infiltrated and compromised the intended repositories. This targeted action reveals a sophisticated understanding of CI/CD pipelines and their vulnerable nodes.

Impact and Immediate Risks

The compromised PAT of tj-actions allowed unauthorized modifications to the repository, amplifying the security risks. As a result, the infected actions posed critical threats, especially in terms of unauthorized access and potential data leaks. Consequently, CISA and other security agencies have recommended that users and federal agencies update the tj-actions/changed-files to version 46.0.1 by April 4.

Beyond simply updating, several other actions have been suggested to contain and mitigate these types of threats. Users are advised to replace the affected actions altogether and conduct rigorous audits of previous workflows to identify any suspicious activities. Additionally, rotating any potentially leaked secrets and pinning GitHub Actions to specific commit hashes, rather than relying on version tags, could greatly reduce the risk of future compromises.

Recommended Preventive Measures

Proactive Updating and Replacement

The urgency to update impacted versions of tj-actions/changed-files stems from the high-severity CVSS score and the multifaceted risks involved. By transitioning to version 46.0.1, users can remove the flawed versions while securing their repositories against potential exploits. However, it is also crucial to consider the replacement of affected actions as an additional layer of security. This measure serves as a robust preventive mechanism against similar discoveries and ensures the sanctity of CI/CD pipelines in the future.

In parallel, conducting thorough audits of previous workflows cannot be overemphasized. Such audits can help pinpoint other potential vulnerabilities that might have been introduced by the compromised actions. Careful scrutiny of all logs and history from the reviewdog/action-setup@v1 and tj-actions/changed-files will assist in tracing any questionable activities. Identifying issues at this juncture ensures long-term security, and a repeat of similar breaches can be prevented.

Rotating Secrets and Secure Hashing

Another proactive step involves the rotation of any secrets that may have been leaked due to this breach. Such secrets might include AWS access keys, GitHub PATs, npm tokens, and private RSA keys. Timely rotation of these secrets will contain the damage and secure sensitive data from being compromised in future attacks. Furthermore, the adoption of automated mechanisms for regular secret rotation can build a resilient defense against potential exploitation.

Moreover, it is advised to pin GitHub Actions to specific commit hashes rather than rely on version tags. This practice binds the CI/CD workflows to verified versions of actions, ensuring that the setup uses only the intended code. Commit hashes provide a higher level of certainty, reducing the risk of unintentionally running compromised code due to flawed versions. This ensures tighter control over the code executed within CI/CD workflows.

Final Thoughts

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently issued an urgent alert regarding an ongoing exploitation of a critical vulnerability in the GitHub Action, tj-actions/changed-files. This issue has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to its high severity. Labeled as CVE-2025-30066, the flaw carries a CVSS score of 8.6, indicating significant risk. This vulnerability permits remote attackers to inject malicious code into the GitHub Action, potentially granting access to sensitive data captured through action logs. The compromised data might include AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys. As a result, organizations using this GitHub Action are strongly encouraged to review and update their security measures to mitigate possible data breaches and safeguard their digital assets. Enhanced vigilance and prompt actions are imperative to combat this threat effectively.

Explore more

Can Stablecoins Balance Privacy and Crime Prevention?

The emergence of stablecoins in the cryptocurrency landscape has introduced a crucial dilemma between safeguarding user privacy and mitigating financial crime. Recent incidents involving Tether’s ability to freeze funds linked to illicit activities underscore the tension between these objectives. Amid these complexities, stablecoins continue to attract attention as both reliable transactional instruments and potential tools for crime prevention, prompting a

AI-Driven Payment Routing – Review

In a world where every business transaction relies heavily on speed and accuracy, AI-driven payment routing emerges as a groundbreaking solution. Designed to amplify global payment authorization rates, this technology optimizes transaction conversions and minimizes costs, catalyzing new dynamics in digital finance. By harnessing the prowess of artificial intelligence, the model leverages advanced analytics to choose the best acquirer paths,

How Are AI Agents Revolutionizing SME Finance Solutions?

Can AI agents reshape the financial landscape for small and medium-sized enterprises (SMEs) in such a short time that it seems almost overnight? Recent advancements suggest this is not just a possibility but a burgeoning reality. According to the latest reports, AI adoption in financial services has increased by 60% in recent years, highlighting a rapid transformation. Imagine an SME

Trend Analysis: Artificial Emotional Intelligence in CX

In the rapidly evolving landscape of customer engagement, one of the most groundbreaking innovations is artificial emotional intelligence (AEI), a subset of artificial intelligence (AI) designed to perceive and engage with human emotions. As businesses strive to deliver highly personalized and emotionally resonant experiences, the adoption of AEI transforms the customer service landscape, offering new opportunities for connection and differentiation.

Will Telemetry Data Boost Windows 11 Performance?

The Telemetry Question: Could It Be the Answer to PC Performance Woes? If your Windows 11 has left you questioning its performance, you’re not alone. Many users are somewhat disappointed by computers not performing as expected, leading to frustrations that linger even after upgrading from Windows 10. One proposed solution is Microsoft’s initiative to leverage telemetry data, an approach that