Cybersecurity and US Infrastructure Agency (CISA) added vulnerability associated with A compromise chain of supplies GITHUB Actions, TJ-Actions/Change-Files, to known exploited vulnerabilities (KEV).
The lack of high degree is tracked as Cve-2025-30066 (CVSS assessment: 8.6), provides for a GITHUB action for imposing a malicious code that allows a distant attacker to access sensitive data through action logs.
“The GitHub action in TJ-Actions/Change-Files contains a built-in malicious vulnerability of the code that allows remote attackers to reveal secrets by reading action magazines,” Cisa – Note In warning.
“These secrets can include, but without limitation, the real AWS Access keys, Github Personal Stamps (PATS), NPM tokens and private RSA keys.”
Since then, the Wiz Company Company Wiz has shown that the attack may have been an instance of a cascade supply attack attack, with unspecified threat subjects at risk of ReviewDog/Setup@v1 GitHub to penetrate the TJ-Action/Change-Files.
“TJ-Actions/Variable Eslint-Files uses Reviewdog/Setup@v1, A TJ-Actions/Changer-Files Repository launches these actions TJ-Action/ESLINT – Note. “Reviewdog’s action was compromised in the same time window as the TJ-Actions compromise.”
It is currently unclear how it happened. But, as they say, the compromise took place on March 11, 2025. Violation of tz-action/changed wings occurred at some point until March 14.
This means that the action of the infected Reviewdog can be used to introduce malicious code into any CI/CD workflow, in which case the useful load, coded Base64, added to the file named install.Sh, used by the workflow.
As in the case of TJ-action, the useful load is designed to expose secrets in storage facilities that work in the workflow in magazines. The problem only affects one tag (V1) ReviewDog/Setup.
CDS staff showed that the attack was the result of a compromised GITHUB (PAT) marker, which allowed the attackers to change the repository with an unauthorized code.
“We can say that the attacker has gained sufficient access to update the V1 tag to the malicious code, which they placed on the fork storage,” Makartky said.
“The GitHub ReviewDog organization has a relatively large base base and seems to be actively adding participants through automated invitations. This increases the surface of the participant’s access to what was compromised or access to the participants was angrily.”
In light of compromise, affected users and federal agencies are recommended to upgrade to the latest TJ-Actions/Changer-Files (46.0.1) by April 4, 2025 to provide their networks from active threats. But given the root cause, there is a risk of re -occurrence.
In addition to replacing the affected actions with safer alternatives, it is recommended to check the past workflows for suspicious activity, turn any secrets and fasten all GITHUB actions for specific hash, not versions.
