Cybersecurity researchers pay attention to the incident in which the popular GitHub TJ-Actions/Change-Files were compromised to leak secrets from storage, using the workflow of continuous integration and permanent delivery (CI/CD).
A incident related TJ-action/Changed movies GitHub action used in more than 23,000 repositories. It is used to track and search all modified files and directors.
The compromise of the supply chain has been assigned an ID CVE Cve-2025-30066 (CVSS assessment: 8.6). The incident is said to have happened somewhere until March 14, 2025.
“In this attack, the attackers changed the action code and the back number updated several versions to refer to – Note. “Courageous actions Print CI/CD in GitHub Actions Build Logs.”
The pure result of this behavior is that in the event that the work process is publicly accessible, they can lead to unauthorized impact of sensitive secrets when the action is launched on storage.
These include AWS Access keys, GitHub Personal Stamps (PATS), NPM tokens and RSA private keys, among others. Given this, there is no evidence that the secrets leaks were aimed at any infrastructure controlled by the attacker.
In particular, angrily inserted code Designed to launch the Python scenario located on GitHub Gist, which reset CI/CD secrets from the Runner worker process. It is said that happened from an unverified source code. GitHub Gist has been lifted since then.
The Podkozakers project stated that an unknown threatening actor (s), who is behind the incident, was threatened with a personal access sign GitHub (PAT) used by @tj-actions-bot, a bot with a privileged repository access.
After detecting the account password, the authentication was upgraded for the use of Passkey, and its permission level was updated in such a way that it follows from the principle of the slightest privilege. GitHub also withdrawn the compromised Pat.
“Personal access suffered by the secrecy of GitHub, which has been canceled since then,” – supporters added. “Going forward, Pat will not be used for all projects in TJ-Actions to prevent the risk of re-occurrence.”
Everyone who uses GitHub action is recommended to update to The last version (46.0.1) as soon as possible. Users are also advised to consider all the workflows performed from March 14 to March 15, and check the “Unexpected Exit in the Movie Movies section.”
Development once again emphasizes how open source software remains particularly sensitive to the risks of the supply chain, which can have serious consequences for several customers down at the same time.
“As of March 15, 2025, all versions of TJ-Actions/Changes were affected – Note.
“Customers who used the hash version of TJ-Actions/Changer-Files would not affect if they did not update the hash during operation.”
