Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

European Innovation Methods to Turn Research into Market Success

Sewage runoff and coastal winds fuel microplastic pollution

ServiceNow Flaw CVE-2025-3648 can lead to data exposure via misunderstood ACLS

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » Github Action Compromise puts CI/CD secrets at risk in over 23,000 repositories
Identity

Github Action Compromise puts CI/CD secrets at risk in over 23,000 repositories

userBy userMarch 17, 2025No Comments4 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

March 17, 2025Ravi LakshmananVulnerability/Cloud Security

Cybersecurity researchers are using continuous integration and continuous delivery (CI/CD) workflows to draw attention to cases in which common Github Action TJ action/change files have been compromised to leak secrets from the repository.

The incident included TJ-actions/Chanded-Files Github actions used in over 23,000 repositories. Used to track and retrieve all files and directories that have been modified.

Supply chain compromises are assigned the CVE identifier CVE-2025-30066 (CVSS score: 8.6). The incident is said to have occurred before March 14th, 2025.

Cybersecurity

“In this attack, the attacker changed the code of the action and retrospectively updated multiple version tags to refer to malicious commits,” Stepecurity said. “The compromised action prints the CI/CD secrets on github actions.

The ultimate result of this behavior is that if the workflow log is published, the actions performed in the repository can lead to unauthorized exposure of sensitive secrets.

This includes AWS Access Keys, Github Personal Access Tokens (PAT), NPM Tokens, Private RSA Keys, and more. However, there is no evidence that leaked secrets have been sucked up into the infrastructure managed by attackers.

Specifically, the malicious insert code is designed to run a GitHub Gist-hosted Python script that dumps CI/CD secrets from the runner worker process. It is said to have come from an unverified source code commit. Github Gist has since been deleted.

“TJ-actions/Change-Files are used in organizations’ software development pipelines,” Dimitri Stiliadis, CTO and co-founder of Endor Labs, said in a statement shared with Hacker News. “After the developers write and review the code, they usually publish it to the main branch of the repository. From there they take a ‘pipeline’, create it, build it for production, and deploy it. ”

“TJ-actions/Change-Files helps to detect changes to files in the repository. This allows you to see which files have been added, changed or deleted during a commit, branch, or pull request.”

“Attackers changed the code of the action, retroactively updating multiple version tags to refer to malicious commits. Compromised actions now discard CI/CD secrets and run malicious Python scripts that affect thousands of CI pipelines.”

The project maintainer says that the unknown threat actor behind the incident was able to compromise the github personal access token (pat) used by @tj-actions-bot, a bot with privileged access to the compromised repository.

Following the discovery, the account’s password was updated, authentication was upgraded to use PassKey, and its privilege level was updated to follow the principle of minimal privilege. Github has cancelled its compromised Pat.

“The affected personal access tokens were saved as secrets of Github actions that were subsequently revoked,” the maintainer added. “Now, it will not be used for all projects in the TJ-actions organization and will prevent the risk of recurrence.”

Cybersecurity

Anyone using GitHub actions is recommended to update to the latest version (46.0.1) as soon as possible. It is also recommended that users review all workflows that ran between March 14th and March 15th and see “unexpected output in the modified files section”.

This is not the first time a security issue has been flagged in a TJ-actions/Chanded-Files action. In January 2024, security researcher Adnan Khan revealed details of the serious flaws (CVE-2023-49291, CVSS score: 9.8) affecting TJ-actions/Changed-files and TJ-actions/Branch-Names that could pave the way for the execution of arbitrary code.

This development once again highlights that open source software remains particularly susceptible to supply chain risks.

“As of March 15, 2025, we found that all versions of the TJ action/change file will be affected as attackers have changed existing version tags to point to malicious code,” said Wiz, a cloud security company.

“Customers who used the hashpin version of TJ-actions/change files will not be affected unless they are updated to the affected hash during the exploitation period.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleGoogle adds voice model Chirp 3 to Vertex AI platform
Next Article SANS Institute warns about new cloud native ransomware attacks
user
  • Website

Related Posts

ServiceNow Flaw CVE-2025-3648 can lead to data exposure via misunderstood ACLS

July 10, 2025

The Future of Process Automation is Here: Meet TwinH

July 9, 2025

Gold Melody IAB exploits exposed ASP.NET machine keys to unauthorized access to targets

July 9, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

European Innovation Methods to Turn Research into Market Success

Sewage runoff and coastal winds fuel microplastic pollution

ServiceNow Flaw CVE-2025-3648 can lead to data exposure via misunderstood ACLS

Why isn’t Cluely’s Roy Lee sweating cheating?

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

The Future of Process Automation is Here: Meet TwinH

Robots Play Football in Beijing: A Glimpse into China’s Ambitious AI Future

TwinH: A New Frontier in the Pursuit of Immortality?

Meta’s Secret Weapon: The Superintelligence Unit That Could Change Everything 

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.