The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a vulnerability related to supply chain compromises for GitHub Action, TJ Action/Change Files.
A high-strength flaw tracked as CVE-2025-30066 (CVSS score: 8.6) involves violations of Github actions and injects malicious code that allows remote attackers to access sensitive data via action logs.
“The TJ-actions/Chanded-Files Github actions contain an embedded malicious code vulnerability that allows remote attackers to discover secrets by reading the action log,” CISA said in an alert.
“These secrets may include, but are not limited to, a valid AWS access key, a GitHub Personal Access Token (PAT), an NPM token, and a private RSA key.”
Cloud security company Wiz has revealed that attacks could be an example of cascaded supply chain attacks. Unidentified threat actors first compromised review dog/action setup @v1 github actions that permeate TJ-actions/change files.
“TJ-actions/eslint-changed-files uses ReviewDog/Action-Setup@v1, and the TJ-actions/Changed-Files repository performs this TJ-actions/eslint-changed-files action with a personal access token.” “A review dog’s action has been compromised in roughly the same time window as TJ-actions compromised.”
It is not clear at the moment how this was done. However, the compromise is said to have occurred on March 11, 2025. The TJ Action/Modified File Violation occurred at some point before March 14th.
This means that you can use an infected ReviewDog action to insert malicious code into your CI/CD workflow using it. In this case, the base64-encoded payload added to the file named install.sh used in the workflow.
As with TJ actions, the payload is designed to expose secrets from the repository running the workflow in the log. This issue only affects one tag (V1) in ReviewDog/Action-Setup.
TJ Action maintainers revealed that the attack was a result of a compromised Github Personal Access Token (PAT), allowing attackers to modify the repository with malicious code.
“Attackers can tell you that they have gained enough access to update the V1 tag to malicious code that has placed it on the repository’s fork,” McCarthy said.
“ReviewDog Github organizations have a relatively large contributor base and appear to be actively adding contributors through automated invitations. This increases the attack surface because contributor access has been compromised or contributor access has been maliciously acquired.”
In light of the compromise, affected users and federal agencies are encouraged to update to the latest version of the TJ-actions/change file (46.0.1) by April 4, 2025 to ensure their networks are secured from active threats. However, given the underlying cause, there is a risk of recurrence.
In addition to replacing affected actions with a safer alternative, we recommend auditing past workflows for suspicious activities, rotating leaked secrets, and pinning all github actions to a specific commit hash instead of version tags.
Source link
