The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a vulnerability linked to the provide chain compromise of the GitHub Motion, tj-actions/changed-files, to its Recognized Exploited Vulnerabilities (KEV) catalog.
The high-severity flaw, tracked as CVE-2025-30066 (CVSS rating: 8.6), includes the breach of the GitHub Motion to inject malicious code that permits a distant attacker to entry delicate knowledge by way of actions logs.
“The tj-actions/changed-files GitHub Motion accommodates an embedded malicious code vulnerability that enables a distant attacker to find secrets and techniques by studying actions logs,” CISA mentioned in an alert.
“These secrets and techniques might embody, however aren’t restricted to, legitimate AWS entry keys, GitHub private entry tokens (PATs), npm tokens, and personal RSA keys.”
Cloud safety firm Wiz has since revealed that the assault might have been an occasion of a cascading provide chain assault, with unidentified risk actors first compromising the reviewdog/action-setup@v1 GitHub Motion to infiltrate tj-actions/changed-files.
“tj-actions/eslint-changed-files makes use of reviewdog/action-setup@v1, and the tj-actions/changed-files repository runs this tj-actions/eslint-changed-files Motion with a Private Entry Token,” Wiz researcher Rami McCarthy mentioned. “The reviewdog Motion was compromised throughout roughly the identical time window because the tj-actions PAT compromise.”
It is at the moment not clear how this occurred. However the compromise is claimed to have occurred on March 11, 2025. The breach of tj-actions/changed-files occurred in some unspecified time in the future earlier than March 14.
Because of this the contaminated reviewdog motion could possibly be used to insert malicious code into any CI/CD workflows utilizing it, on this case a Base64-encoded payload that is appended to a file named set up.sh utilized by the workflow.
Like within the case of tj-actions, the payload is designed to reveal secrets and techniques from repositories operating the workflow in logs. The difficulty impacts just one tag (v1) of reviewdog/action-setup.
The maintainers of tj-actions have disclosed that the assault was the results of a compromised Github Private Entry Token (PAT) that enabled the attackers to switch the repository with unauthorized code.
“We are able to inform the attacker gained enough entry to replace the v1 tag to the malicious code they’d positioned on a fork of the repository,” McCarthy mentioned.
“The reviewdog Github Group has a comparatively massive contributor base and seems to be actively including contributors by way of automated invitations. This will increase the assault floor for a contributor’s entry to have been compromised or contributor entry to have been gained maliciously.”
In mild of the compromise, affected customers and federal companies are suggested to replace to the newest model of tj-actions/changed-files (46.0.1) by April 4, 2025, to safe their networks in opposition to lively threats. However given the foundation trigger, there’s a danger of re-occurrence.
In addition to changing the affected actions with safer options, it is suggested to audit previous workflows for suspicious exercise, rotate any leaked secrets and techniques, and pin all GitHub Actions to particular commit hashes as an alternative of model tags.