FOCUS MODE
EXTRACT IOC
Threat Research

GitHub Action tj-actions/changed-files supply chain attack: everything you need to know

admin
The GitHub Action tj-actions/changed-files was compromised on March 14, 2024, allowing exposed secrets in public repositories to be logged. The incident has been assigned CVE-2025-30066, and although the malicious repository has been removed, risks remain due to previously exposed secrets. Immediate actions are needed for credential recovery and mitigating future exploits. Affected: public repositories, GitHub Action users

Keypoints :

  • The GitHub Action tj-actions/changed-files was compromised, exposing secrets in logs.
  • The compromise is tracked as CVE-2025-30066.
  • The malicious repository was taken down soon after the compromise was detected.
  • Secrets were stored in CI runner memory and made visible in workflow logs, especially for public repositories.
  • No external exfiltration of secrets to attacker-controlled servers was observed.
  • All versions of tj-actions/changed-files were affected as the attacker altered version tags.
  • Immediate action is required to rotate leaked secrets and mitigate further risks.
  • GitHub users are advised to stop using the compromised action and seek alternatives.
  • This incident has impacted several repositories, including those belonging to large organizations.
  • Users can find affected repositories by querying for the compromised action.
  • Rotating any leaked secrets and deleting relevant workflows is recommended to prevent further exposure.
  • Pinning GitHub Actions to commit hashes can mitigate future supply chain attacks.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Web Protocols: Malicious code was injected into CI workflows using the compromised GitHub Action.
  • T1203 – Exploitation for Client Execution: The deployment of a script designed to dump secrets was observed as part of the malicious payload’s execution.
  • T1036 – Masquerading: The attacker impersonated the Renovate bot user to inject malicious code without raising suspicion.
  • T1059.001 – Command and Scripting Interpreter: Powershell: The scripts executed as part of the payload contained instructions to dump sensitive information.

Indicator of Compromise :

  • [Domain] tj-actions/changed-files
  • [CVE] CVE-2025-30066
  • [Token] AWS Access Keys (specific access keys not provided)
  • [Token] GitHub Personal Access Tokens (PATs) (specific tokens not provided)
  • [Token] NPM Tokens (specific tokens not provided)

Full Story: https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066

Tags: LEAK, VULNERABILITY, HUNTING, PAYLOAD, EXFILTRATION, CREDENTIAL, CVE, CLOUD