Earlier this year, GitHub faced a significant cybersecurity incident that shook the developer community, particularly those using the popular GitHub Action tj-actions/changed-files. This Action, employed by more than 23,000 repositories, assists in tracking and retrieving changed files and directories within the CI/CD (Continuous Integration and Continuous Delivery) workflow. The incident exposed sensitive secrets from the affected repositories and has been identified with the CVE-2025-30066. With a CVSS score of 8.6, the severity of this compromise cannot be overstated.
Details of the Compromise
Attackers Exploited the Code
In a troubling discovery, researchers found that attackers had managed to alter the code of tj-actions/changed-files and retroactively update multiple version tags to link to a malicious commit. This compromised code was crafted to print CI/CD secrets, including AWS access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys, within the GitHub Action build logs. While there is no concrete evidence suggesting that the exposed secrets were exfiltrated to an attacker-controlled server, the threat level remains high, particularly if the workflow logs were publicly accessible.
Additionally, it became apparent that the malicious code stemmed from an unverified commit. The code ran a Python script hosted on a GitHub gist, designed to harvest CI/CD secrets from the Runner Worker process. This GitHub gist has since been taken down to prevent further exploitation. This incident underscores the growing menace of supply chain attacks in CI/CD environments, a particularly concerning trend given the high reliance on open-source software. Such attacks can have cascading effects, potentially compromising a myriad of downstream customers.
Actions Taken and Recommendations for Users
In the aftermath of the breach, the project maintainers revealed that the attacker had gained access through a GitHub PAT used by @tj-actions-bot, a bot with privileged access to the compromised repository. Several security enhancements have since been introduced. The bot’s account password was updated, authentication methods were bolstered, and access was limited according to the principle of least privilege. Additionally, GitHub took significant steps by revoking the compromised PAT and instituting a policy prohibiting PAT use for any future projects within the tj-actions organization.
For users of the affected GitHub Action, it is crucial to immediately update to the latest version, 46.0.1. Furthermore, users should thoroughly review workflows executed between March 14 and March 15 for any unexpected outputs within the changed-files section. Such vigilance is necessary because this incident is not an isolated event for tj-actions/changed-files. Back in January 2024, this action experienced another critical security issue, documented as CVE-2023-49291, which allowed arbitrary code execution. Therefore, maintaining up-to-date versions and reviewing security advisories frequently is prudent.
Broader Implications for CI/CD Security
The Rise of Supply Chain Attacks
This incident with tj-actions/changed-files is a grim reminder of the increasing vulnerabilities within open-source software, particularly in CI/CD ecosystems. Supply chain attacks, where a malicious actor infiltrates and compromises software dependencies, have become more prevalent and sophisticated. Open-source software projects are notably susceptible due to their widespread use and reliance on community contributions. Such attacks can ripple through numerous dependent projects and users, causing extensive damage and operational disruptions.
Organizations must adopt comprehensive security practices to mitigate these risks. This includes implementing multi-factor authentication for all accounts, conducting regular code audits, and employing automated tools for continuous monitoring of dependencies. Moreover, adhering to the principle of least privilege by limiting access rights to only what is necessary ensures any potential damage from compromised accounts is minimized. Additionally, organizations should cultivate a culture of security awareness, emphasizing the importance of vigilance and prompt action when security breaches are suspected or confirmed.
Future Considerations and Best Practices
Looking ahead, it is essential for development teams to recognize that the landscape of cybersecurity threats is ever-evolving. The compromise of tj-actions/changed-files serves as a case study for the necessity of proactive and robust security measures. As part of best practices, teams should consider using dependency management tools that can detect and alert on vulnerable software versions. Regularly reviewing and rotating secrets, implementing strong authentication protocols, and making use of managed CI/CD services that offer enhanced security features can also fortify defenses against such incidents.
Furthermore, contributing to and relying on open-source software necessitates a community-driven approach to security. By actively participating in open-source communities, developers can help identify vulnerabilities, contribute to security patches, and share knowledge about best practices. Collaboration between organizations, open-source maintainers, and security researchers would help create a more resilient software ecosystem. This collective effort could significantly reduce the impact of future supply chain attacks, fostering a safer development environment for all.
Ensure Your Repository’s Security
Earlier this year, GitHub encountered a major cybersecurity incident that impacted the developer community, especially those utilizing the widely-used GitHub Action tj-actions/changed-files. This specific Action, which is a key part of the CI/CD (Continuous Integration and Continuous Delivery) workflow, is employed by over 23,000 repositories to help in tracking and retrieving files and directories that have been modified. The breach resulted in the exposure of sensitive secrets from the affected repositories and has been identified under the CVE-2025-30066. The severity of this security breach is illustrated by its CVSS score of 8.6, indicating a high level of risk and impact. The event has prompted heightened concerns and reinforced the urgency for robust cybersecurity measures within the developer community. Addressing such vulnerabilities is essential to safeguarding the integrity and confidentiality of developer resources and workflows on platforms like GitHub.