The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a vulnerability linked to the provide chain compromise of the GitHub Motion, tj-actions/changed-files, to its Recognized Exploited Vulnerabilities (KEV) catalog.
The high-severity flaw, tracked as CVE-2025-30066 (CVSS rating: 8.6), entails the breach of the GitHub Motion to inject malicious code that permits a distant attacker to entry delicate information through actions logs.
“The tj-actions/changed-files GitHub Motion incorporates an embedded malicious code vulnerability that permits a distant attacker to find secrets and techniques by studying actions logs,” CISA mentioned in an alert.
“These secrets and techniques could embody, however are usually not restricted to, legitimate AWS entry keys, GitHub private entry tokens (PATs), npm tokens, and personal RSA keys.”
Cloud safety firm Wiz has since revealed that the assault could have been an occasion of a cascading provide chain assault, with unidentified risk actors first compromising the reviewdog/action-setup@v1 GitHub Motion to infiltrate tj-actions/changed-files.
“tj-actions/eslint-changed-files makes use of reviewdog/action-setup@v1, and the tj-actions/changed-files repository runs this tj-actions/eslint-changed-files Motion with a Private Entry Token,” Wiz researcher Rami McCarthy mentioned. “The reviewdog Motion was compromised throughout roughly the identical time window because the tj-actions PAT compromise.”
It is at present not clear how this occurred. However the compromise is alleged to have occurred on March 11, 2025. The breach of tj-actions/changed-files occurred sooner or later earlier than March 14.
Because of this the contaminated reviewdog motion could possibly be used to insert malicious code into any CI/CD workflows utilizing it, on this case a Base64-encoded payload that is appended to a file named set up.sh utilized by the workflow.
Like within the case of tj-actions, the payload is designed to reveal secrets and techniques from repositories operating the workflow in logs. The difficulty impacts just one tag (v1) of reviewdog/action-setup.
The maintainers of tj-actions have disclosed that the assault was the results of a compromised Github Private Entry Token (PAT) that enabled the attackers to change the repository with unauthorized code.
“We will inform the attacker gained enough entry to replace the v1 tag to the malicious code they’d positioned on a fork of the repository,” McCarthy mentioned.
“The reviewdog Github Group has a comparatively massive contributor base and seems to be actively including contributors by way of automated invitations. This will increase the assault floor for a contributor’s entry to have been compromised or contributor entry to have been gained maliciously.”
In gentle of the compromise, affected customers and federal companies are suggested to replace to the newest model of tj-actions/changed-files (46.0.1) by April 4, 2025, to safe their networks towards lively threats. However given the foundation trigger, there’s a threat of re-occurrence.
Apart from changing the affected actions with safer alternate options, it is suggested to audit previous workflows for suspicious exercise, rotate any leaked secrets and techniques, and pin all GitHub Actions to particular commit hashes as a substitute of model tags.
