The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a vulnerability related to the availability chain compromise of the GitHub Motion, tj-actions/changed-files, to its Identified Exploited Vulnerabilities (KEV) catalog.
The high-severity flaw, tracked as CVE-2025-30066 (CVSS rating: 8.6), comes to the breach of the GitHub Motion to inject malicious code that allows a faraway attacker to get right of entry to delicate knowledge by way of activities logs.
“The tj-actions/changed-files GitHub Motion accommodates an embedded malicious code vulnerability that permits a faraway attacker to find secrets and techniques through studying activities logs,” CISA mentioned in an alert.
“Those secrets and techniques might come with, however aren’t restricted to, legitimate AWS get right of entry to keys, GitHub private get right of entry to tokens (PATs), npm tokens, and personal RSA keys.”
Cloud safety corporate Wiz has since printed that the assault will have been an example of a cascading provide chain assault, with unidentified risk actors first compromising the reviewdog/action-setup@v1 GitHub Motion to infiltrate tj-actions/changed-files.
“tj-actions/eslint-changed-files makes use of reviewdog/action-setup@v1, and the tj-actions/changed-files repository runs this tj-actions/eslint-changed-files Motion with a Non-public Get right of entry to Token,” Wiz researcher Rami McCarthy mentioned. “The reviewdog Motion used to be compromised all through kind of the similar time window because the tj-actions PAT compromise.”
It is these days now not transparent how this happened. However the compromise is claimed to have came about on March 11, 2025. The breach of tj-actions/changed-files came about someday prior to March 14.
Because of this the inflamed reviewdog motion might be used to insert malicious code into any CI/CD workflows the usage of it, on this case a Base64-encoded payload that is appended to a record named set up.sh utilized by the workflow.
Like when it comes to tj-actions, the payload is designed to show secrets and techniques from repositories working the workflow in logs. The problem affects just one tag (v1) of reviewdog/action-setup.
The maintainers of tj-actions have disclosed that the assault used to be the results of a compromised Github Non-public Get right of entry to Token (PAT) that enabled the attackers to change the repository with unauthorized code.
“We will inform the attacker received enough get right of entry to to replace the v1 tag to the malicious code that they had put on a fork of the repository,” McCarthy mentioned.
“The reviewdog Github Group has a reasonably massive contributor base and seems to be actively including members thru computerized invitations. This will increase the assault floor for a contributor’s get right of entry to to had been compromised or contributor get right of entry to to had been received maliciously.”
In mild of the compromise, affected customers and federal companies are recommended to replace to the newest model of tj-actions/changed-files (46.0.1) through April 4, 2025, to safe their networks towards energetic threats. However given the foundation reason, there’s a chance of re-occurrence.
But even so changing the affected activities with more secure possible choices, it is recommended to audit previous workflows for suspicious task, rotate any leaked secrets and techniques, and pin all GitHub Movements to express devote hashes as an alternative of model tags.