A vital safety incident has been uncovered involving the favored GitHub Motion tj-actions/changed-files, which is utilized in over 23,000 repositories.
The assault includes a malicious modification of the Motion’s code, resulting in the publicity of CI/CD secrets and techniques in GitHub Actions construct logs.
This vulnerability was detected by StepSecurity’s Harden-Runner, a software designed to safe CI/CD workflows by monitoring community actions and controlling entry on GitHub-hosted and self-hosted runners.
The compromised Motion executes a malicious Python script that dumps delicate knowledge from the GitHub Actions runner’s reminiscence.
The exploit particularly targets Linux environments, the place it makes an attempt to extract secrets and techniques by studying the reminiscence of the Runner Employee course of.
The malicious code was launched by way of a retroactive replace of a number of model tags, all pointing to the identical malicious commit hash.
This refined assault technique allowed the attackers to compromise most variations of the Motion with out instantly elevating suspicion.
Incident Timeline
The incident started on March 14, 2025, and was rapidly recognized by StepSecurity’s anomaly detection capabilities.
By March 15, GitHub had eliminated the compromised Motion, stopping additional use in workflows.
Nevertheless, the repository was later restored with all variations up to date to exclude the malicious code.
To mitigate the affect, StepSecurity launched a safe drop-in substitute for the compromised Motion, recommending that customers exchange all cases of tj-actions/changed-files with step-security/changed-files.
Response
The assault highlights the dangers related to provide chain vulnerabilities in open-source software program.
Whereas there is no such thing as a proof that leaked secrets and techniques have been exfiltrated to distant networks, public repositories are significantly susceptible as their construct logs are accessible to anybody.
Customers are suggested to assessment latest workflow logs for indicators of leaked secrets and techniques and rotate these secrets and techniques instantly if discovered.
An official CVE (CVE-2025-30066) has been printed to trace this incident, emphasizing the necessity for proactive safety measures in CI/CD pipelines.
Are you from SOC/DFIR Groups? – Analyse Malware Incidents & get stay Entry with ANY.RUN -> Begin Now for Free.