FlagThis

A critical security incident has been detected involving the widely-used GitHub Action "tj-actions/changed-files," resulting in CVE-2025-30066. The compromise involved attackers modifying the action's code and retroactively updating multiple version tags to point to the malicious commit. This allowed the malicious code to print CI/CD secrets in GitHub Actions build logs, potentially exposing them in public repositories. The "tj-actions/changed-files" GitHub Action is used in over 23,000 repositories, making the scale of this compromise significant. GitHub has removed the "tj-actions/changed-files" Action, preventing it from being used in GitHub Actions workflows.

The malicious commit, identified as 0e58ed8 ("chore(deps): lock file maintenance (#2460)"), was added to all 361 tagged versions of the GitHub action. This commit resulted in a script that can leak CI/CD secrets from runner memory. The anomaly was detected by StepSecurity's Harden-Runner, which identified suspicious outbound network requests directed at gist.githubusercontent.com. Immediate actions are necessary to mitigate the risk of credential theft and CI pipeline compromise. Step Security has urged maintainers of public repositories using the compromised Action to review recovery steps immediately, as multiple public repositories have been found to have leaked secrets in build logs.

ImgSrc: cdn.mos.cms.fut

References :

• Open Source Security: tj-action/changed-files GitHub action was compromised
• securityonline.info: Popular GitHub Action “tj-actions/changed-filesâ€� Compromised (CVE-2025-30066)
• Rescana: GitHub Actions Security Breach: tj-actions/changed-files-action Supply Chain Vulnerability Analysis
• Wiz Blog | RSS feed: GitHub Action tj-actions/changed-files supply chain attack: everything you need to know

Classification:

• HashTags: #Github #SupplyChain #Vulnerability
• Company: GitHub
• Target: Open Source Projects
• Product: GitHub Actions
• Feature: CI/CD secrets leak
• Type: SupplyChain
• Severity: Major