FOCUS MODE
EXTRACT IOC
Threat Research

Detecting and Mitigating the “tj-actions/changed-files” Supply Chain Attack (CVE-2025-30066)

Sysdig
Detecting and Mitigating the “tj-actions/changed-files” Supply Chain Attack (CVE-2025-30066)

Summary:
On March 12, 2025, a malicious commit was introduced into the GitHub Action tj-actions/changed-files, impacting tens of thousands of repositories. The attack involved injecting base64-encoded Node.js code that downloaded Python scripts to scan GitHub Runner memory for sensitive credentials. These credentials were either printed in build logs or exfiltrated to a GitHub Gist. Organizations using the compromised action must rotate secrets and implement security monitoring with tools like Falco and Sysdig Secure to detect similar threats.

Keypoints:

  • CVE-2025-30066 assigned for the compromise.
  • Malicious Code: Injected Node.js script downloads Python code for memory scanning.
  • Data Exposure: Credentials were either logged or exfiltrated.
  • Affected Repositories:
    • Public repositories running the action from March 12–15, 2025, face high risk.
    • Private repositories have a lower but significant risk.
  • Detection & Mitigation:
    • Use Falco and Sysdig Secure to detect memory scanning.
    • Rotate secrets in affected repositories.
    • Implement alternative GitHub Actions.

MITRE Techniques:

  1. T1059.007 – Command and Scripting Interpreter: JavaScript

    • The attacker injected a Node.js function containing base64-encoded instructions.

  2. T1027 – Obfuscated Files or Information

    • The malicious script used base64 encoding to hide its payload.

  3. T1204.002 – User Execution: Malicious File

    • The GitHub Action executed the compromised script as part of a CI/CD workflow.

  4. T1055.012 – Process Injection: Process Memory Injection

    • The Python script scanned the memory of the GitHub Runner (Runner.worker) for credentials.

  5. T1552.001 – Unsecured Credentials: Credentials in Files

    • Extracted secrets from GitHub Runner memory and stored them in logs.

  6. T1567.002 – Exfiltration Over Web Service: Exfiltration to Code Repositories

    • Some versions of the attack exfiltrated credentials via a POST request to a GitHub Gist.

Indicators of Compromise (IoC):

Malicious GitHub Repository (No longer available)

  • https://github.com/tj-actions/changed-files (compromised)

Malicious Scripts and Behaviors:

  • Base64-encoded payloads injected into the GitHub Action.
  • Python scripts downloading additional payloads from a GitHub Gist.
  • Exfiltration URLs:
    • https://gist.githubusercontent.com/<attacker_id> (used for storing stolen credentials)

Full Story: https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/

Tags: CVE, EXPLOIT, PAYLOAD, EMAIL, CLOUD, EXFILTRATION