A significant security breach involving a popular GitHub Action has put approximately 23,000 repositories at risk of exposing sensitive information. The compromised action, known as , was manipulated to leak continuous integration and delivery (CI/CD) secrets into public build logs, raising alarms across the developer community.
Key Takeaways
Compromised Action: The tj-actions/changed-files GitHub Action was altered to leak secrets.
Affected Repositories: Over 23,000 repositories utilized the compromised action.
Security Response: GitHub removed the action temporarily and has since restored it after addressing the issue.
Recommendations: Developers are urged to rotate credentials and audit their repositories for potential exposure.
Overview of the Incident
On March 14, 2025, security firm StepSecurity reported that the action had been compromised. This action is widely used for tracking changes in files and directories within CI/CD workflows. Attackers modified the action's code to execute a malicious Python script that printed sensitive CI/CD secrets to build logs, which could be publicly accessible in many cases.
The malicious commit was designed to download and run a script that scanned the memory of the GitHub Runner for credentials, including API keys and access tokens. The incident has been assigned the CVE identifier CVE-2025-30066.
Attack Details
Timeline: The initial compromise is believed to have occurred on March 12, 2025, with the malicious code being discovered on March 14.
Method of Attack: Attackers retroactively updated multiple version tags to point to the malicious commit, allowing the leak of secrets.
Scope of Exposure: While the risk to private repositories is lower, any repository using the affected action should treat its secrets as potentially compromised.
GitHub's Response
In response to the breach, GitHub temporarily removed the action and restored it after the malicious code was eliminated. The maintainers of the action have taken steps to enhance security, including:
Updating the password for the bot account associated with the action.
Implementing passkey authentication.
Restricting account permissions to the minimum necessary.
Recommendations for Developers
Given the potential exposure of sensitive information, developers are advised to take immediate action:
Rotate Credentials: Change any credentials that may have been exposed.
Audit Repositories: Check all repositories that used the compromised action for leaked secrets.
Pin Actions: To prevent similar incidents in the future, developers should pin actions to specific commit hashes rather than using version tags.
Monitor for Indicators of Compromise: Stay vigilant for any signs of unauthorized access or unusual activity in repositories.
This incident underscores the growing threat of supply chain attacks in the software development ecosystem. As organizations increasingly rely on third-party tools and actions, the need for robust security measures becomes paramount. Developers must remain proactive in securing their CI/CD pipelines to mitigate risks associated with such vulnerabilities.
As cybercriminals continue to adapt their strategies, awareness and education remain crucial in combating these threats. Cybersecurity is critical. BetterWorld Technology offers cutting-edge solutions to combat evolving threats while driving innovation. Protect your business with confidence—contact us today for a consultation!
Sources
Popular GitHub Action Targeted in Supply Chain Attack, SecurityWeek.
GitHub supply-chain attack threatens 23,000 organisations, Computing UK.
GitHub supply chain attack spills secrets from 23K projects • The Register, The Register.