The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a vulnerability linked to the availability chain compromise of the GitHub Motion, tj-actions/changed-files, to its Recognized Exploited Vulnerabilities (KEV) catalog.
The high-severity flaw, tracked as CVE-2025-30066 (CVSS rating: 8.6), includes the breach of the GitHub Motion to inject malicious code that allows a distant attacker to entry delicate knowledge by way of actions logs.
“The tj-actions/changed-files GitHub Motion incorporates an embedded malicious code vulnerability that permits a distant attacker to find secrets and techniques by studying actions logs,” CISA stated in an alert.
“These secrets and techniques could embody, however are usually not restricted to, legitimate AWS entry keys, GitHub private entry tokens (PATs), npm tokens, and personal RSA keys.”
Cloud security firm Wiz has since revealed that the assault could have been an occasion of a cascading provide chain assault, with unidentified risk actors first compromising the reviewdog/action-setup@v1 GitHub Motion to infiltrate tj-actions/changed-files.
“tj-actions/eslint-changed-files makes use of reviewdog/action-setup@v1, and the tj-actions/changed-files repository runs this tj-actions/eslint-changed-files Motion with a Private Entry Token,” Wiz researcher Rami McCarthy stated. “The reviewdog Motion was compromised throughout roughly the identical time window because the tj-actions PAT compromise.”
It is presently not clear how this occurred. However the compromise is claimed to have occurred on March 11, 2025. The breach of tj-actions/changed-files occurred sooner or later earlier than March 14.
Which means that the contaminated reviewdog motion could possibly be used to insert malicious code into any CI/CD workflows utilizing it, on this case a Base64-encoded payload that is appended to a file named set up.sh utilized by the workflow.
Like within the case of tj-actions, the payload is designed to show secrets and techniques from repositories working the workflow in logs. The problem impacts just one tag (v1) of reviewdog/action-setup.
The maintainers of tj-actions have disclosed that the assault was the results of a compromised Github Private Entry Token (PAT) that enabled the attackers to switch the repository with unauthorized code.
“We are able to inform the attacker gained enough entry to replace the v1 tag to the malicious code they’d positioned on a fork of the repository,” McCarthy stated.
“The reviewdog Github Group has a comparatively giant contributor base and seems to be actively including contributors by automated invitations. This will increase the assault floor for a contributor’s entry to have been compromised or contributor entry to have been gained maliciously.”
In gentle of the compromise, affected customers and federal businesses are suggested to replace to the newest model of tj-actions/changed-files (46.0.1) by April 4, 2025, to safe their networks in opposition to lively threats. However given the foundation trigger, there’s a danger of re-occurrence.
Apart from changing the affected actions with safer alternate options, it is suggested to audit previous workflows for suspicious exercise, rotate any leaked secrets and techniques, and pin all GitHub Actions to particular commit hashes as an alternative of model tags.
