Was Your Repository Affected By the GitHub Action Compromise?

Article Highlights
Off On

Earlier this year, GitHub faced a significant cybersecurity incident that shook the developer community, particularly those using the popular GitHub Action tj-actions/changed-files. This Action, employed by more than 23,000 repositories, assists in tracking and retrieving changed files and directories within the CI/CD (Continuous Integration and Continuous Delivery) workflow. The incident exposed sensitive secrets from the affected repositories and has been identified with the CVE-2025-30066. With a CVSS score of 8.6, the severity of this compromise cannot be overstated.

Details of the Compromise

Attackers Exploited the Code

In a troubling discovery, researchers found that attackers had managed to alter the code of tj-actions/changed-files and retroactively update multiple version tags to link to a malicious commit. This compromised code was crafted to print CI/CD secrets, including AWS access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys, within the GitHub Action build logs. While there is no concrete evidence suggesting that the exposed secrets were exfiltrated to an attacker-controlled server, the threat level remains high, particularly if the workflow logs were publicly accessible.

Additionally, it became apparent that the malicious code stemmed from an unverified commit. The code ran a Python script hosted on a GitHub gist, designed to harvest CI/CD secrets from the Runner Worker process. This GitHub gist has since been taken down to prevent further exploitation. This incident underscores the growing menace of supply chain attacks in CI/CD environments, a particularly concerning trend given the high reliance on open-source software. Such attacks can have cascading effects, potentially compromising a myriad of downstream customers.

Actions Taken and Recommendations for Users

In the aftermath of the breach, the project maintainers revealed that the attacker had gained access through a GitHub PAT used by @tj-actions-bot, a bot with privileged access to the compromised repository. Several security enhancements have since been introduced. The bot’s account password was updated, authentication methods were bolstered, and access was limited according to the principle of least privilege. Additionally, GitHub took significant steps by revoking the compromised PAT and instituting a policy prohibiting PAT use for any future projects within the tj-actions organization.

For users of the affected GitHub Action, it is crucial to immediately update to the latest version, 46.0.1. Furthermore, users should thoroughly review workflows executed between March 14 and March 15 for any unexpected outputs within the changed-files section. Such vigilance is necessary because this incident is not an isolated event for tj-actions/changed-files. Back in January 2024, this action experienced another critical security issue, documented as CVE-2023-49291, which allowed arbitrary code execution. Therefore, maintaining up-to-date versions and reviewing security advisories frequently is prudent.

Broader Implications for CI/CD Security

The Rise of Supply Chain Attacks

This incident with tj-actions/changed-files is a grim reminder of the increasing vulnerabilities within open-source software, particularly in CI/CD ecosystems. Supply chain attacks, where a malicious actor infiltrates and compromises software dependencies, have become more prevalent and sophisticated. Open-source software projects are notably susceptible due to their widespread use and reliance on community contributions. Such attacks can ripple through numerous dependent projects and users, causing extensive damage and operational disruptions.

Organizations must adopt comprehensive security practices to mitigate these risks. This includes implementing multi-factor authentication for all accounts, conducting regular code audits, and employing automated tools for continuous monitoring of dependencies. Moreover, adhering to the principle of least privilege by limiting access rights to only what is necessary ensures any potential damage from compromised accounts is minimized. Additionally, organizations should cultivate a culture of security awareness, emphasizing the importance of vigilance and prompt action when security breaches are suspected or confirmed.

Future Considerations and Best Practices

Looking ahead, it is essential for development teams to recognize that the landscape of cybersecurity threats is ever-evolving. The compromise of tj-actions/changed-files serves as a case study for the necessity of proactive and robust security measures. As part of best practices, teams should consider using dependency management tools that can detect and alert on vulnerable software versions. Regularly reviewing and rotating secrets, implementing strong authentication protocols, and making use of managed CI/CD services that offer enhanced security features can also fortify defenses against such incidents.

Furthermore, contributing to and relying on open-source software necessitates a community-driven approach to security. By actively participating in open-source communities, developers can help identify vulnerabilities, contribute to security patches, and share knowledge about best practices. Collaboration between organizations, open-source maintainers, and security researchers would help create a more resilient software ecosystem. This collective effort could significantly reduce the impact of future supply chain attacks, fostering a safer development environment for all.

Ensure Your Repository’s Security

Earlier this year, GitHub encountered a major cybersecurity incident that impacted the developer community, especially those utilizing the widely-used GitHub Action tj-actions/changed-files. This specific Action, which is a key part of the CI/CD (Continuous Integration and Continuous Delivery) workflow, is employed by over 23,000 repositories to help in tracking and retrieving files and directories that have been modified. The breach resulted in the exposure of sensitive secrets from the affected repositories and has been identified under the CVE-2025-30066. The severity of this security breach is illustrated by its CVSS score of 8.6, indicating a high level of risk and impact. The event has prompted heightened concerns and reinforced the urgency for robust cybersecurity measures within the developer community. Addressing such vulnerabilities is essential to safeguarding the integrity and confidentiality of developer resources and workflows on platforms like GitHub.

Explore more

Visa Launches SDK to Expand Digital Payments Across Africa

A local street vendor in Accra or a tech-savvy freelancer in Dar es Salaam often finds that having a mobile wallet is not enough to participate in the lucrative global digital economy. While local transfers have flourished, the inability to access international marketplaces creates a glass ceiling for millions of ambitious African entrepreneurs and consumers. The launch of the Visa

Uzbekistan Rapidly Transforms Its Digital Financial Sector

A traveler walking through the bustling Chorsu Bazaar in Tashkent today would likely witness a scene that would have been unrecognizable only a few years ago: vendors who once strictly dealt in stacks of som notes now effortlessly accept instant QR code payments on their mobile devices. This micro-level shift at a local market stall reflects a macro-level upheaval within

How Remote Work and AI Are Eroding Entry-Level Hiring

The traditional expectation that a university degree serves as a guaranteed entry point into a stable professional trajectory has collided with a harsh new economic reality where early-career opportunities are rapidly evaporating. While the labor market has historically rewarded the vigor and potential of young graduates, a silent decoupling occurred that left the newest members of the workforce navigating a

Salesforce, NiCE, and Oracle Lead ISG 2026 CXM Rankings

The modern consumer’s loyalty now hinges on a singular, invisible thread that snaps the moment a customer is forced to repeat their grievance to a third representative who has no record of the previous conversation. In a marketplace defined by hyper-competition, these fragmented experiences are no longer merely inconvenient; they are financially catastrophic for the enterprise. As organizations struggle with

Has Hyper-Measurement Killed Creativity in B2B Marketing?

The digital dashboard promised a world of absolute certainty where every marketing dollar could be tracked with surgical precision, yet many B2B brands now find themselves invisible in a sea of data-driven sameness. While marketing departments once thrived on intuition and bold storytelling, the modern era has substituted that creative spark for a reliance on real-time analytics that often prioritizes