Trending

News

Popular GitHub Action Targeted in Supply Chain Attack

Listen to this article

A widely used GitHub Action has been compromised in a supply chain attack, seemingly aimed at extracting secrets related to continuous integration and continuous delivery (CI/CD).

The affected GitHub Action, tj-actions/changed-files, is part of tj-actions, a collection of tools designed to optimize CI/CD workflows. This particular action, which helps track file and directory modifications, is actively used in over 23,000 repositories.

According to security firm StepSecurity, the attack began on March 14, when a threat actor altered the Changed-files code to inject a malicious Python script. This script was designed to expose CI/CD secrets by logging them in build outputs.

“If workflow logs are publicly accessible (such as in public repositories), anyone could potentially retrieve and exploit these exposed secrets,” StepSecurity warned.

Although some public repositories were found leaking sensitive information in build logs, there is currently no evidence that the exposed secrets have been exfiltrated.

The attack affected most existing version tags of Changed-files, redirecting them to a malicious commit. The incident has been assigned the CVE identifier CVE-2025-30066.

Another security firm, Endor Labs, has also analyzed the breach and found no signs of impact on downstream open-source libraries or containers. However, they highlighted a broader risk:

“The attacker likely wasn’t interested in secrets from public repositories—they are already exposed. Instead, their goal may have been to compromise the software supply chain for open-source packages, binaries, and artifacts built using this workflow. This could mean that thousands of open-source projects have been inadvertently affected,” Endor Labs noted in a blog post.

The firm also warned that enterprise organizations using both private and public repositories could be at risk if their CI/CD secrets—such as those for artifact or container registries—were compromised.

By March 15, GitHub took down tj-actions/changed-files but reinstated it later the same day after removing the malicious commit from all affected tags and branches.

Tj-actions developers and security experts have since shared guidance on identifying indicators of compromise (IoCs) and responding to the incident.

The attack has sparked debate, with some speculating that it was either an attempt by an unsophisticated actor or a deliberate effort to highlight vulnerabilities in supply chain security. Interestingly, a researcher noted that one year ago, he had published a blog post outlining a similar attack scenario targeting tj-actions/changed-files.
Cyberkitera

Cyberkitera is a premier cybersecurity publishing platform dedicated to providing the latest insights, expert security tips, and news across all areas of cybersecurity. Our mission is to empower individuals and businesses with knowledge to prevent cyber threats, stay informed about emerging trends, and safeguard their digital assets. From industry updates to practical advice on protecting against cyber attacks, Cyberkitera is your trusted source for staying ahead in the ever-evolving world of cybersecurity.

view all posts

Related Posts

Post Comment

You May Have Missed