Source URL: https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066
Source: Alerts
Title: Supply Chain Compromise of Third-Party GitHub Action, CVE-2025-30066
Feedly Summary:
A popular third-party GitHub Action, tj-actions/changed-files (tracked as CVE-2025-30066), was compromised. This GitHub Action is designed to detect which files have changed in a pull request or commit. The supply chain compromise allows for information disclosure of secrets including, but not limited to, valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. This has been patched in v46.0.1.
CISA added CVE-2025-30066 to its Known Exploited Vulnerabilities Catalog.
CISA strongly urges users to implement the recommendations to mitigate this compromise and strengthen security when using third-party actions.
See the following resources for more guidance:
GitHub: tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs
GitHub: Security hardening for GitHub Actions – GitHub Docs
GitHub: tj-actions/changed-files: :octocat: Github action to retrieve all (added, copied, modified, deleted, renamed, type changed, unmerged, unknown) files and directories
StepSecurity: Harden-Runner detection: tj-actions/changed-files action is compromised
Wiz: GitHub Action tj-actions/changed-files supply chain attack
Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.
This alert is provided “as is” for informational purposes only. CISA does not provide any warranties of any kind regarding any information within. CISA does not endorse any commercial product, entity, or service referenced in this alert or otherwise.
AI Summary and Description: Yes
Summary: The text discusses the compromise of the GitHub Action “tj-actions/changed-files,” classified as CVE-2025-30066, which has led to the potential exposure of sensitive information such as access keys and tokens. The incident highlights critical supply chain security vulnerabilities associated with third-party tools in software development.
Detailed Description:
The compromise of the tj-actions/changed-files GitHub Action represents a significant issue in the realm of software security and supply chain security. Here are the key points of significance:
– **CVE-2025-30066**: This vulnerability, tracked by CISA, resulted from the GitHub Action being compromised, leading to unauthorized access to sensitive information through actions logs.
– **Impact on Security**: The incident’s implications are serious, involving the potential disclosure of secrets including:
– Valid access keys
– GitHub Personal Access Tokens (PATs)
– npm tokens
– Private RSA keys
– **Mitigation Recommendations**: CISA strongly advises users to implement specific recommendations to mitigate the risks posed by this vulnerability and to reinforce security measures when utilizing third-party actions.
– **Urgency for Users**: The alert urges prompt action from all organizations using the affected GitHub Action, emphasizing the necessity of strengthening security protocols around supply chain components.
– **Resources for Guidance**: The text references various resources that provide additional guidance on hardening security practices concerning GitHub Actions, including:
– GitHub’s security documentation
– External analysis from security vendors like StepSecurity and Wiz addressing the incident further.
– **Incident Reporting**: Organizations experiencing anomalous activity are encouraged to report their findings to CISA’s Operations Center, indicating the collaborative aspect of cybersecurity defense.
The incident illustrates the increasing risks associated with reliance on third-party tools in software development, reinforcing the need for ongoing vigilance and stringent security controls in the software development lifecycle.