The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly discovered vulnerability linked to the supply chain compromise of the GitHub Actions, tj-actions/changed-files, to its Known Exploited Vulnerabilities (KEV) catalog.
The flaw, tracked as CVE-2025-30066, has been assigned a CVSS severity score of 8.6 due to its potential for remote code execution and data exposure.
A Cascading Supply Chain Compromise
This vulnerability stems from a breach in the GitHub Actions, allowing attackers to inject malicious code and access sensitive data through action logs. GitHub Actions is a CI/CD (Continuous Integration and Continuous Deployment) automation tool provided by GitHub, which allows developers to automate workflows for building, testing, and deploying their code directly within their GitHub repositories.
The issue is particularly concerning as it enables unauthorized exposure of confidential credentials, including AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys.
Cloud security firm Wiz has identified the incident as a cascading supply chain attack. Unidentified threat actors initially compromised the reviewdog/action-setup@v1 GitHub Actions, which was subsequently leveraged to infiltrate tj-actions/changed-files. The compromised repository ran an action that utilized reviewdog/action-setup@v1, creating an opportunity for attackers to execute their malicious payload.
According to Wiz researcher Rami McCarthy, the attack timeline suggests that the reviewdog Action was compromised around the same time as the tj-actions PAT breach. However, the exact method of compromise remains unclear. The attack is believed to have taken place on March 11, 2025, with the breach of tj-actions/changed-files occurring before March 14.
The Impact of CVE-2025-30066 on GitHub CI/CD Workflows
The compromised reviewdog action allowed attackers to inject a Base64-encoded payload into CI/CD workflows. This payload, embedded within a file named install.sh, was designed to extract secrets from repositories using the affected workflows. Notably, only the v1 tag of reviewdog/action-setup was impacted.
The maintainers of tj-actions have since confirmed that the breach resulted from a compromised GitHub Personal Access Token (PAT), which permitted unauthorized modifications to the repository. The attackers were able to update the v1 tag, replacing it with their malicious code.
Mitigation Measures and Security Recommendations
In response to the incident, affected users and federal agencies have been advised to update to tj-actions/changed-files version 46.0.1 before April 4, 2025. However, given the nature of the compromise, the risk of recurrence remains high.
To strengthen security measures, experts recommend the following actions:
- Replace affected GitHub Actions with secure alternatives.
- Audit past workflows for any signs of malicious activity.
- Rotate any potentially leaked secrets.
- Pin GitHub Actions to specific commit hashes instead of version tags to prevent unauthorized modifications.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: