Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Popular GitHub Action Targeted in Supply Chain Attack

The tj-actions/changed-files GitHub Action, which is used in 23,000 repositories, has been targeted in a supply chain attack.

GitHub vulnerability

A popular GitHub Action has been compromised in a supply chain attack apparently targeting secrets associated with continuous integration and continuous delivery (CI/CD).

The targeted GitHub Action is called ‘tj-actions/changed-files’. Tj-actions provides GitHub Actions for streamlining CI/CD processes. Changed-files, which is actively used in over 23,000 repositories, is designed for tracking file and directory changes.

According to StepSecurity, a security company specializing in GitHub Actions, the incident started on March 14 and involved a threat actor modifying the Changed-files code to execute a malicious Python script designed to dump CI/CD secrets to build logs.

“If the workflow logs are publicly accessible (such as in public repositories), anyone could potentially read these logs and obtain exposed secrets,” StepSecurity said.

While the security firm has seen multiple public repositories leaking secrets in build logs that can be accessed by anyone, it noted that there is no evidence of the leaked secrets being exfiltrated. 

A majority of the existing Changed-files version tags were updated to refer to the malicious commit. The CVE identifier CVE-2025-30066 has been assigned to this incident. 

Advertisement. Scroll to continue reading.

Software supply chain security firm Endor Labs has also tracked this incident and found no evidence that downstream open source libraries or containers have been impacted.

“The attacker was likely not looking for secrets in public repositories — they are already public. They were likely looking to compromise the software supply chain for other open source libraries, binaries, and artifacts created with this. Any public repository that creates packages or containers as part of a CI pipeline could have been impacted. That means potentially 1,000s of open source packages have the potential to have been compromised,” Endor said in a blog post.

“This can also apply to enterprise organizations that have both private and public repositories. If these repositories share CI/CD pipeline secrets for artifact or container registries these registries can be potentially compromised,” the company added.

On March 15, GitHub removed the tj-actions/changed-files action and restored it on the same day after the malicious commit was removed from all tags and branches. 

Tj-actions developers and the security firms have shared recommendations on checking for indicators of compromise (IoCs) and incident response steps. 

There has been some speculation regarding this incident, with some believing that it may have been an attack conducted by an unsophisticated threat actor or that it was just an attempt to raise awareness of the potential risks.

One researcher pointed out that one year ago he published a blog post describing a theoretical attack scenario targeting tj-actions/changed-files.

Related: GitHub Actions Artifacts Leak Tokens and Expose Cloud Services and Repositories

Related: GitLoker Strikes Again: New “Goissue” Tool Targets GitHub Developers and Corporate Supply Chains

Related: North Korean Fake IT Workers Pose as Blockchain Developers on GitHub

Related: GitHub Launches Fund to Improve Open Source Project Security

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.