The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about an actively exploited vulnerability affecting GitHub Actions, specifically the “tj-actions/changed-files” workflow. The security flaw, cataloged as CVE-2025-30066 with a CVSS severity score of 8.6, enables attackers to inject malicious code and access sensitive data through action logs. As a result, this vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The GitHub Actions Supply Chain Compromise
GitHub Actions is a widely used automation tool for CI/CD workflows, making any security breach in its ecosystem a serious concern. According to CISA, the vulnerability in “tj-actions/changed-files” allows unauthorized attackers to extract critical secrets from logs. These may include AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys, posing a severe security risk to developers and organizations.
The cybersecurity firm Wiz has revealed that this incident is part of a larger supply chain attack. Researchers found that attackers first compromised another GitHub Action, “reviewdog/action-setup@v1,” and then used it to target “tj-actions/changed-files.”
Timeline of the Attack
March 11, 2025: Attackers gained access to “reviewdog/action-setup@v1,” injecting malicious code.
Before March 14, 2025: The compromise extended to “tj-actions/changed-files,” allowing the attackers to further spread the malware.
March 14, 2025: Security researchers identified and reported the breach.
The attack exploited the dependency chain, where “tj-actions/eslint-changed-files” relied on “reviewdog/action-setup@v1.” This interdependency provided attackers with a gateway to insert a Base64-encoded malicious payload into a file named install.sh, which was then executed within affected workflows.
How Attackers Exploited the Flaw
The attack method involved injecting malicious code into GitHub repositories via a compromised Personal Access Token (PAT). Once inside the system, the attackers could update repository tags, adding harmful scripts that exposed sensitive secrets from running workflows.
Security researchers noted that the “reviewdog” GitHub Organization has a relatively large contributor base and an automated invitation system for new members. This open access may have inadvertently expanded the attack surface, allowing unauthorized actors to gain control over the repository.
Impact and Mitigation Measures
Organizations using the affected GitHub Actions must take immediate steps to secure their repositories. CISA has recommended the following actions:
Update Immediately: Users should upgrade to “tj-actions/changed-files” version 46.0.1 by April 4, 2025, to mitigate the risk of further exploitation.
Audit Workflows: Review past workflow executions for any signs of suspicious activity or unauthorized modifications.
Rotate Secrets: Change all potentially exposed credentials, including AWS keys and GitHub PATs, to prevent unauthorized access.
Pin Actions to Specific Commits: Instead of relying on version tags, users should specify commit hashes when referencing GitHub Actions. This prevents attackers from injecting malicious updates into versioned workflows.
Consider Safer Alternatives: If possible, replace the compromised actions with more secure options that have undergone rigorous security reviews.
The Risk of Recurrence
While patching affected repositories is essential, security experts warn that similar attacks could happen again. The root cause—compromised access tokens—suggests that attackers could target other repositories in the future using similar techniques. The open-source nature of GitHub and its automation tools makes it imperative for developers to implement strict security policies, including:
Enforcing Multi-Factor Authentication (MFA): Ensuring that only authorized users can access sensitive repositories.
Limiting Access Permissions: Providing the minimum necessary privileges to contributors and automations.
Monitoring for Anomalies: Using security tools to detect unusual activity in repositories and workflows.
Conclusion
The GitHub Actions supply chain attack highlights the growing risks in the CI/CD ecosystem. With attackers continuously finding ways to exploit open-source dependencies, security must be a top priority for developers and organizations alike. By following CISA’s recommendations—updating compromised actions, auditing workflows, rotating credentials, and pinning dependencies to specific commits—organizations can significantly reduce their exposure to such threats.
As the cybersecurity landscape evolves, proactive security measures will be essential in safeguarding sensitive data from future supply chain compromises. Stay informed, stay updated, and prioritize security in all development workflows.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Severe AMI MegaRAC Vulnerability Exposes Data Centers to Attacks