GitHub Action Supply Chain Compromise
On March 19, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability, identified as CVE-2025-30066, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability stems from a supply chain compromise affecting the GitHub Action tj-actions/changed-files
, posing significant risks to organizations utilizing this action in their continuous integration and continuous deployment (CI/CD) workflows.
Understanding the Vulnerability
The tj-actions/changed-files
GitHub Action is designed to detect and list files modified in a pull request or commit, facilitating automated workflows in CI/CD pipelines. However, the compromised version contains embedded malicious code that allows remote attackers to access sensitive data by reading action logs. These logs may inadvertently expose secrets such as AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys.
Cascade of Compromises
The breach appears to be part of a cascading supply chain attack. Initial investigations by cloud security firm Wiz suggest that attackers first compromised the reviewdog/action-setup@v1
GitHub Action. Subsequently, the tj-actions/eslint-changed-files
action, which depends on reviewdog/action-setup@v1
, was infiltrated. This chain reaction allowed the malicious code to propagate to tj-actions/changed-files
, thereby affecting numerous downstream projects that incorporated this action into their workflows.
Technical Details of the Exploit
The attack involves injecting a Base64-encoded payload into the install.sh
script within the compromised action. When executed, this payload extracts and logs environment secrets, which are then accessible to the attackers. The breach was facilitated by a compromised GitHub Personal Access Token (PAT), enabling unauthorized modifications to the repository. Notably, the reviewdog
GitHub organization, associated with the initial compromise, has a large contributor base and employs automated contributor invitations, potentially increasing its vulnerability to such attacks.
Recommended Mitigation Steps
In response to this active exploitation, CISA advises organizations and federal agencies to:
- Update Affected Actions: Immediately upgrade to the latest version of
tj-actions/changed-files
(version 46.0.1 or later) by April 4, 2025, to mitigate the vulnerability. - Audit Workflows: Review past CI/CD workflows for any suspicious activity or unauthorized access, focusing on logs that may contain exposed secrets.
- Rotate Secrets: Revoke and regenerate any credentials or secrets that may have been compromised to prevent unauthorized access.
- Pin Dependencies: Configure GitHub Actions to reference specific commit hashes instead of mutable version tags to ensure the integrity of the actions being executed.
Conclusion
This incident underscores the critical importance of securing the software supply chain, particularly in CI/CD environments. Organizations must exercise vigilance in managing dependencies, regularly audit their workflows, and implement best practices such as pinning actions to immutable references. By proactively addressing these vulnerabilities, the risk of unauthorized access and potential data breaches can be significantly reduced.