Full Report
Read SentinelOne's response to the tj-actions/changed-files attack and learn how to secure development pipelines with runtime security.
Analysis Summary
# Tool/Technique: tj-actions/changed-files Compromise (CVE-2025-30066)
## Overview
The `tj-actions/changed-files` GitHub Action, a widely used component in CI/CD pipelines (integrated into over 23,000 projects), was compromised via malicious code injection in tagged versions. This incident represents a major software supply chain attack where a trusted component was weaponized to exfiltrate sensitive credentials from build runner environments.
## Technical Details
- Type: Compromised Tool/Supply Chain Vulnerability
- Platform: CI/CD Runners (Specifically targeting Linux runners based on the shell script logic provided)
- Capabilities: Code execution within the build environment, downloading and executing secondary malware, memory scraping for secrets, and exfiltrating data via build logs.
- First Seen: March 12, 2025
## MITRE ATT&CK Mapping
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping
- T1003.001 - LSASS Memory
- T1555 - Credentials from Password Stores
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (via `curl` fetching Gist)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.001 - Obfuscated Files (via Base64 encoding)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
## Functionality
### Core Capabilities
- **Obfuscated Infiltration:** Malicious code was injected into the Action via a specific commit, utilizing obfuscation (Base64 encoding) within a `Node.js` function to hide the payload.
- **Remote Payload Retrieval:** The script used `curl` to download an external Python script (`memdump.py`) from a GitHub Gist.
### Advanced Features
- **Memory Scraping:** The downloaded Python script specifically targeted the memory space of the `Runner.Worker` process.
- **Targeted Credential Harvesting:** Used regular expressions (`grep -aoE '"\[^"\]+":\\{"value":"\[^"\]\*","isSecret":true\\}'`) to precisely hunt for sensitive tokens, including AWS Access Keys, GitHub Personal Access Tokens (PATs), NPM tokens, and private RSA keys.
- **Covert Exfiltration:** Stolen secrets were double-encoded in base64 and intentionally dumped into the CI/CD workflow build logs for later retrieval by the adversary.
## Indicators of Compromise
- File Hashes: `[0e58ed8671d6b60d0890c21b07f8835ace038e67]` (The malicious commit hash)
- File Names: `memdump.py`
- Registry Keys: N/A
- Network Indicators:
- `hxxps://gist.githubusercontent[.]com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py` (C2/Payload download location)
- Behavioral Indicators:
- Execution of `curl` with arguments to fetch the malicious Gist payload.
- Execution of Python scripts (`sudo python3`) following the `curl` command.
- Presence of double-encoded base64 strings within workflow build logs.
- Shell logic checking for Linux environment (`if [[ "$OSTYPE" == "linux-gnu" ]]`).
## Associated Threat Actors
The article does not explicitly name a threat actor, framing this as an exploited third-party dependency attack.
## Detection Methods
- **Signature-based detection:** Searching for the specific malicious commit hash or the distinct command lines involving `curl` and `sudo python3` pointing to the Gist, or searching logs for the specific regex pattern used for secret extraction.
- **Behavioral detection:** Monitoring for unexpected process creation, specifically `curl` fetching external resources followed by direct memory manipulation attempts or the appearance of base64 data structures in logs that do not belong.
- **YARA rules:** Potentially applicable against the retrieved `memdump.py` script or the obfuscated payload within the Action files.
## Mitigation Strategies
- **Dependency Pinning:** Commit pinning (using specific, verified hashes instead of version tags) for all third-party dependencies, including GitHub Actions.
- **Allow-listing:** Only permitting execution of known, approved actions and scripts.
- **Incident Response:** Conducting immediate digital forensics, searching repositories for use of the compromised Action, and rotating all potentially exposed credentials found in build environments/logs.
- **Logging & Monitoring:** Implementing proactive monitoring on CI/CD logs for unusual command execution patterns or large, encoded strings.
## Related Tools/Techniques
- Software Supply Chain Attack
- CI/CD Pipeline Poisoning
- GitHub Actions Abuse
- Memory Dumping Techniques (T1003)