top of page

GitHub Actions Supply Chain Attack: CI/CD Security Breach in tj-actions/changed-files

  • Writer: Nox90 Engineering
    Nox90 Engineering
  • Apr 5
  • 2 min read
Image for post about Detailed Report on GitHub Action Compromise Impacting CI/CD Security

Detailed Report on GitHub Action Compromise Impacting CI/CD Security

Executive Summary

In March 2025, a significant supply chain attack was identified involving the GitHub Action

tj-actions/changed-files
, which is widely used in CI/CD workflows across over 23,000 repositories. The attack exposed sensitive secrets such as AWS access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. The attack was assigned the identifier CVE-2025-30066 with a CVSS score of 8.6.

Incident Details

  • Affected Component:

    tj-actions/changed-files

    GitHub Action
  • CVE Identifier: CVE-2025-30066
  • CVSS Score: 8.6
  • Date of Discovery: March 14, 2025
  • Reported by: StepSecurity and various cybersecurity firms

Attack Description

The attackers compromised the

tj-actions/changed-files
GitHub Action by modifying the action's code and updating version tags to include a malicious commit. This malicious code executed a Python script designed to extract CI/CD secrets from the Runner Worker process, which were then printed in GitHub Actions build logs. The affected versions were those used before March 14, 2025.

Exploitation in the Wild

Although the compromised action printed secrets to logs, there is no current evidence indicating that these secrets were exfiltrated to attacker-controlled infrastructure. However, the exposure of these secrets poses a significant risk if the logs were publicly accessible.

Affected Entities

  • Repositories Impacted: Over 23,000
  • Organizations Affected: Any organization using the

    tj-actions/changed-files

    action in their CI/CD workflows.

Mitigation Steps

  • Immediate Actions:
  • Update to version 46.0.1 of

    tj-actions/changed-files

    .
  • Rotate all exposed and potentially exposed secrets immediately.
  • Review workflow logs for unexpected output under the changed-files section.
  • Long-term Mitigation:
  • Implement principle of least privilege for GitHub PATs and other secrets.
  • Regularly audit third-party actions used in CI/CD pipelines.
  • Monitor for unauthorized changes to CI/CD workflows.

References and External Links

Conclusion

This incident underscores the critical need for organizations to reinforce security measures around CI/CD workflows and the use of third-party GitHub Actions. Ensuring robust security practices can mitigate the impact of such supply chain attacks and protect sensitive information from exposure.

コメント


bottom of page