Full Report
Cybersecurity researchers are calling attention to an incident in which the popular GitHub Action tj-actions/changed-files was compromised to leak secrets from repositories using the continuous integration and continuous delivery (CI/CD) workflow. The incident involved the tj-actions/changed-files GitHub Action, which is used in over 23,000 repositories. It's used to track and retrieve all
Analysis Summary
# Incident Report: GitHub Action Supply Chain Compromise (CVE-2025-30066)
## Executive Summary
A critical supply chain attack targeted the widely used GitHub Action `tj-actions/changed-files`, affecting over 23,000 repositories that utilized the workflow. Attackers modified the action's code and retroactively updated version tags to execute a malicious Python script during CI/CD runs. This script was designed to dump sensitive CI/CD secrets—such as AWS keys and PATs—into publicly accessible workflow logs, creating a significant risk of unauthorized access across thousands of organizations. The compromise was eventually contained by revoking the compromised token and releasing an emergency patch.
## Incident Details
- **Discovery Date:** Sometime around March 14/15, 2025 (implied discovery close to the attack window)
- **Incident Date:** Occurred sometime before March 14, 2025
- **Affected Organization:** TJ-Actions Organization and over 23,000 downstream users of the `tj-actions/changed-files` GitHub Action.
- **Sector:** Technology / Software Development (CI/CD)
- **Geography:** Global (Internet-facing software supply chain)
## Timeline of Events
### Initial Access
- **Date/Time:** Sometime before March 14, 2025
- **Vector:** Compromise of a GitHub Personal Access Token (PAT) belonging to the bot account `@tj-actions-bot`, which had privileged write access to the repository.
- **Details:** Threat actors gained control over the bot account, allowing them to modify the code of the `tj-actions/changed-files` action.
### Lateral Movement
- **Details:** Attackers modified the action's code and retroactively updated multiple version tags to point to the malicious commit, ensuring that users pulling older, trusted versions were still susceptible to the attack.
### Data Exfiltration/Impact
- **Details:** The malicious code executed a Python script hosted on a GitHub gist (since taken down) that dumped CI/CD secrets found within the GitHub Actions Runner Worker process directly into the workflow build logs. This included AWS access keys, GitHub PATs, npm tokens, and private RSA Keys. *Note: There is currently no evidence that the leaked secrets were successfully siphoned to attacker-controlled infrastructure.*
### Detection & Response
- **How it was discovered:** Cybersecurity researchers brought attention to the issue, leading to formal reporting (implied discovery around March 14-15, 2025).
- **Response actions taken:** Maintainers revoked the compromised PAT, updated the account password, upgraded authentication to use a passkey, and reduced the account's permissions to follow the principle of least privilege. GitHub revoked the affected PAT. An emergency patch (v46.0.1) was released.
## Attack Methodology
| Phase | Method |
| :--- | :--- |
| **Initial Access** | Compromise of a privileged GitHub PAT used by the bot maintainer account (`@tj-actions-bot`). |
| **Persistence** | Modifying the action source code and retroactively updating version tags to ensure legacy users would pull the malicious payload. |
| **Privilege Escalation** | N/A (Attackers leveraged existing high privileges from the compromised PAT). |
| **Defense Evasion** | N/A (The malicious code executed as part of a legitimate CI/CD process). |
| **Credential Access** | The payload specifically targeted and dumped secrets available within the active GitHub Actions Runner environment. |
| **Discovery** | N/A (Payload executed immediately upon triggering the affected workflow). |
| **Lateral Movement** | N/A (Impact was confined to secrets exposed in the workflow logs of downstream users). |
| **Collection** | Execution of a Python script hosted on a GitHub gist to collect environment secrets. |
| **Exfiltration** | Writing the collected secrets directly into the publicly visible GitHub Actions build logs. |
| **Impact** | Exposure of sensitive cryptographic keys and access tokens needed for production environments. |
## Impact Assessment
- **Financial:** (Not disclosed in the summary, but potential costs include investigation, remediation of compromised keys, and potential service disruption if exfiltrated secrets were misused.)
- **Data Breach:** Exposure of numerous sensitive secrets, including AWS access keys, GitHub PATs, npm tokens, and private RSA Keys. Scope affects over 23,000 repositories.
- **Operational:** Users executing the affected action between March 14 and March 15 risked immediate exposure of production or deployment credentials.
- **Reputational:** Significant negative impact on the trust placed in open-source CI/CD dependencies and the software supply chain ecosystem.
## Indicators of Compromise
(Note: As the malicious code/gist was removed, specific IOCs are abstract or behavioral based on reporting.)
- **Network indicators:** Outbound connections/requests made by the runner worker process to an external domain hosting a Python script (the GitHub gist URL is not provided/defanged).
- **File indicators:** Presence of the malicious Python script payload within the `tj-actions/changed-files` Action code/commit history.
- **Behavioral indicators:** Unexpected output appearing in the workflow logs under the `changed-files` action section, specifically dumped secrets.
## Response Actions
- **Containment measures:** Developers were immediately advised to update to version `46.0.1`. The compromised GitHub PAT was revoked by maintainers, and GitHub also revoked it.
- **Eradication steps:** The malicious code was removed from the action repository. The threat actor's mechanism (the GitHub gist) was taken down. Access credentials associated with the bot were secured (password updated, moved to passkey authentication).
- **Recovery actions:** Users who ran the action between March 14 and March 15 were advised to review their workflow logs and immediately rotate any exposed secrets (AWS keys, PATs, etc.).
## Lessons Learned
- **Key takeaways:** Open-source software supply chain dependencies pose significant, high-impact risks, as a single compromise can affect thousands of downstream organizations instantly. Reliance on a single privileged token for repository write access creates a single point of failure.
- **What could have been done better:** Increased scrutiny or multi-factor authentication requirements for committing changes or updating version tags in high-visibility actions.
## Recommendations
- Implement granular permissions review and the **Principle of Least Privilege** for all bot accounts and service tokens used within CI/CD systems.
- Adopt token rotation policies aggressively, especially for highly privileged PATs used in repository maintenance.
- Users of third-party actions should enforce actions signing or pin dependencies to specific, non-mutable commit hashes rather than relying solely on version tags.
- Review all workflow runs immediately following the discovery window for anomalous output in build logs.