Was Your Repository Affected By the GitHub Action Compromise?

Article Highlights
Off On

Earlier this year, GitHub faced a significant cybersecurity incident that shook the developer community, particularly those using the popular GitHub Action tj-actions/changed-files. This Action, employed by more than 23,000 repositories, assists in tracking and retrieving changed files and directories within the CI/CD (Continuous Integration and Continuous Delivery) workflow. The incident exposed sensitive secrets from the affected repositories and has been identified with the CVE-2025-30066. With a CVSS score of 8.6, the severity of this compromise cannot be overstated.

Details of the Compromise

Attackers Exploited the Code

In a troubling discovery, researchers found that attackers had managed to alter the code of tj-actions/changed-files and retroactively update multiple version tags to link to a malicious commit. This compromised code was crafted to print CI/CD secrets, including AWS access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys, within the GitHub Action build logs. While there is no concrete evidence suggesting that the exposed secrets were exfiltrated to an attacker-controlled server, the threat level remains high, particularly if the workflow logs were publicly accessible.

Additionally, it became apparent that the malicious code stemmed from an unverified commit. The code ran a Python script hosted on a GitHub gist, designed to harvest CI/CD secrets from the Runner Worker process. This GitHub gist has since been taken down to prevent further exploitation. This incident underscores the growing menace of supply chain attacks in CI/CD environments, a particularly concerning trend given the high reliance on open-source software. Such attacks can have cascading effects, potentially compromising a myriad of downstream customers.

Actions Taken and Recommendations for Users

In the aftermath of the breach, the project maintainers revealed that the attacker had gained access through a GitHub PAT used by @tj-actions-bot, a bot with privileged access to the compromised repository. Several security enhancements have since been introduced. The bot’s account password was updated, authentication methods were bolstered, and access was limited according to the principle of least privilege. Additionally, GitHub took significant steps by revoking the compromised PAT and instituting a policy prohibiting PAT use for any future projects within the tj-actions organization.

For users of the affected GitHub Action, it is crucial to immediately update to the latest version, 46.0.1. Furthermore, users should thoroughly review workflows executed between March 14 and March 15 for any unexpected outputs within the changed-files section. Such vigilance is necessary because this incident is not an isolated event for tj-actions/changed-files. Back in January 2024, this action experienced another critical security issue, documented as CVE-2023-49291, which allowed arbitrary code execution. Therefore, maintaining up-to-date versions and reviewing security advisories frequently is prudent.

Broader Implications for CI/CD Security

The Rise of Supply Chain Attacks

This incident with tj-actions/changed-files is a grim reminder of the increasing vulnerabilities within open-source software, particularly in CI/CD ecosystems. Supply chain attacks, where a malicious actor infiltrates and compromises software dependencies, have become more prevalent and sophisticated. Open-source software projects are notably susceptible due to their widespread use and reliance on community contributions. Such attacks can ripple through numerous dependent projects and users, causing extensive damage and operational disruptions.

Organizations must adopt comprehensive security practices to mitigate these risks. This includes implementing multi-factor authentication for all accounts, conducting regular code audits, and employing automated tools for continuous monitoring of dependencies. Moreover, adhering to the principle of least privilege by limiting access rights to only what is necessary ensures any potential damage from compromised accounts is minimized. Additionally, organizations should cultivate a culture of security awareness, emphasizing the importance of vigilance and prompt action when security breaches are suspected or confirmed.

Future Considerations and Best Practices

Looking ahead, it is essential for development teams to recognize that the landscape of cybersecurity threats is ever-evolving. The compromise of tj-actions/changed-files serves as a case study for the necessity of proactive and robust security measures. As part of best practices, teams should consider using dependency management tools that can detect and alert on vulnerable software versions. Regularly reviewing and rotating secrets, implementing strong authentication protocols, and making use of managed CI/CD services that offer enhanced security features can also fortify defenses against such incidents.

Furthermore, contributing to and relying on open-source software necessitates a community-driven approach to security. By actively participating in open-source communities, developers can help identify vulnerabilities, contribute to security patches, and share knowledge about best practices. Collaboration between organizations, open-source maintainers, and security researchers would help create a more resilient software ecosystem. This collective effort could significantly reduce the impact of future supply chain attacks, fostering a safer development environment for all.

Ensure Your Repository’s Security

Earlier this year, GitHub encountered a major cybersecurity incident that impacted the developer community, especially those utilizing the widely-used GitHub Action tj-actions/changed-files. This specific Action, which is a key part of the CI/CD (Continuous Integration and Continuous Delivery) workflow, is employed by over 23,000 repositories to help in tracking and retrieving files and directories that have been modified. The breach resulted in the exposure of sensitive secrets from the affected repositories and has been identified under the CVE-2025-30066. The severity of this security breach is illustrated by its CVSS score of 8.6, indicating a high level of risk and impact. The event has prompted heightened concerns and reinforced the urgency for robust cybersecurity measures within the developer community. Addressing such vulnerabilities is essential to safeguarding the integrity and confidentiality of developer resources and workflows on platforms like GitHub.

Explore more

D365 Supply Chain Tackles Key Operational Challenges

Imagine a mid-sized manufacturer struggling to keep up with fluctuating demand, facing constant stockouts, and losing customer trust due to delayed deliveries, a scenario all too common in today’s volatile supply chain environment. Rising costs, fragmented data, and unexpected disruptions threaten operational stability, making it essential for businesses, especially small and medium-sized enterprises (SMBs) and manufacturers, to find ways to

Cloud ERP vs. On-Premise ERP: A Comparative Analysis

Imagine a business at a critical juncture, where every decision about technology could make or break its ability to compete in a fast-paced market, and for many organizations, selecting the right Enterprise Resource Planning (ERP) system becomes that pivotal choice—a decision that impacts efficiency, scalability, and profitability. This comparison delves into two primary deployment models for ERP systems: Cloud ERP

Selecting the Best Shipping Solution for D365SCM Users

Imagine a bustling warehouse where every minute counts, and a single shipping delay ripples through the entire supply chain, frustrating customers and costing thousands in lost revenue. For businesses using Microsoft Dynamics 365 Supply Chain Management (D365SCM), this scenario is all too real when the wrong shipping solution disrupts operations. Choosing the right tool to integrate with this powerful platform

How Is AI Reshaping the Future of Content Marketing?

Dive into the future of content marketing with Aisha Amaira, a MarTech expert whose passion for blending technology with marketing has made her a go-to voice in the industry. With deep expertise in CRM marketing technology and customer data platforms, Aisha has a unique perspective on how businesses can harness innovation to uncover critical customer insights. In this interview, we

Why Are Older Job Seekers Facing Record Ageism Complaints?

In an era where workforce diversity is often championed as a cornerstone of innovation, a troubling trend has emerged that threatens to undermine these ideals, particularly for those over 50 seeking employment. Recent data reveals a staggering surge in complaints about ageism, painting a stark picture of systemic bias in hiring practices across the U.S. This issue not only affects