GitHub Actions Supply Chain Attack: CI/CD Security Breach in tj-actions/changed-files
- Nox90 Engineering
- Apr 5
- 2 min read

Detailed Report on GitHub Action Compromise Impacting CI/CD Security
Executive Summary
In March 2025, a significant supply chain attack was identified involving the GitHub Action
Incident Details
- Affected Component:
tj-actions/changed-files
GitHub Action - CVE Identifier: CVE-2025-30066
- CVSS Score: 8.6
- Date of Discovery: March 14, 2025
- Reported by: StepSecurity and various cybersecurity firms
Attack Description
The attackers compromised the
Exploitation in the Wild
Although the compromised action printed secrets to logs, there is no current evidence indicating that these secrets were exfiltrated to attacker-controlled infrastructure. However, the exposure of these secrets poses a significant risk if the logs were publicly accessible.
Affected Entities
- Repositories Impacted: Over 23,000
- Organizations Affected: Any organization using the
tj-actions/changed-files
action in their CI/CD workflows.
Mitigation Steps
- Immediate Actions:
- Update to version 46.0.1 of
tj-actions/changed-files
. - Rotate all exposed and potentially exposed secrets immediately.
- Review workflow logs for unexpected output under the changed-files section.
- Long-term Mitigation:
- Implement principle of least privilege for GitHub PATs and other secrets.
- Regularly audit third-party actions used in CI/CD pipelines.
- Monitor for unauthorized changes to CI/CD workflows.
References and External Links
Conclusion
This incident underscores the critical need for organizations to reinforce security measures around CI/CD workflows and the use of third-party GitHub Actions. Ensuring robust security practices can mitigate the impact of such supply chain attacks and protect sensitive information from exposure.
Comments