Sign in Subscribe

GitHub Action Supply Chain Compromise

Sascha Corti

2 min read
GitHub Action Supply Chain Compromise
Photo by SCARECROW artworks / Unsplash

On March 19, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability, identified as CVE-2025-30066, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability stems from a supply chain compromise affecting the GitHub Action tj-actions/changed-files, posing significant risks to organizations utilizing this action in their continuous integration and continuous deployment (CI/CD) workflows.

Understanding the Vulnerability

The tj-actions/changed-files GitHub Action is designed to detect and list files modified in a pull request or commit, facilitating automated workflows in CI/CD pipelines. However, the compromised version contains embedded malicious code that allows remote attackers to access sensitive data by reading action logs. These logs may inadvertently expose secrets such as AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys.

Cascade of Compromises

The breach appears to be part of a cascading supply chain attack. Initial investigations by cloud security firm Wiz suggest that attackers first compromised the reviewdog/action-setup@v1 GitHub Action. Subsequently, the tj-actions/eslint-changed-files action, which depends on reviewdog/action-setup@v1, was infiltrated. This chain reaction allowed the malicious code to propagate to tj-actions/changed-files, thereby affecting numerous downstream projects that incorporated this action into their workflows.

Technical Details of the Exploit

The attack involves injecting a Base64-encoded payload into the install.sh script within the compromised action. When executed, this payload extracts and logs environment secrets, which are then accessible to the attackers. The breach was facilitated by a compromised GitHub Personal Access Token (PAT), enabling unauthorized modifications to the repository. Notably, the reviewdog GitHub organization, associated with the initial compromise, has a large contributor base and employs automated contributor invitations, potentially increasing its vulnerability to such attacks.

Recommended Mitigation Steps

In response to this active exploitation, CISA advises organizations and federal agencies to:

  • Update Affected Actions: Immediately upgrade to the latest version of tj-actions/changed-files (version 46.0.1 or later) by April 4, 2025, to mitigate the vulnerability.
  • Audit Workflows: Review past CI/CD workflows for any suspicious activity or unauthorized access, focusing on logs that may contain exposed secrets.
  • Rotate Secrets: Revoke and regenerate any credentials or secrets that may have been compromised to prevent unauthorized access.
  • Pin Dependencies: Configure GitHub Actions to reference specific commit hashes instead of mutable version tags to ensure the integrity of the actions being executed.

Conclusion

This incident underscores the critical importance of securing the software supply chain, particularly in CI/CD environments. Organizations must exercise vigilance in managing dependencies, regularly audit their workflows, and implement best practices such as pinning actions to immutable references. By proactively addressing these vulnerabilities, the risk of unauthorized access and potential data breaches can be significantly reduced.