Summary: GitHub responded to a security incident involving the compromise of the popular open-source package tj-actions/changed-files, which affected over 23,000 users by leaking sensitive information through CI/CD logs. The attack exposed secrets like AWS keys and GitHub Personal Access Tokens, prompting GitHub to temporarily suspend user accounts and revert malicious changes. Experts emphasize the need for security audits and stricter policies around open-source dependencies to prevent future incidents.
Affected: GitHub Action tj-actions/changed-files, over 23,000 organizations
Keypoints :
- Attacker modified code leading to exposure of CI/CD secrets in logs, termed CVE-2025-30066.
- GitHub acted quickly, suspending accounts and reverting the affected code after confirming its integrity.
- Security experts urge auditing of repositories and implementing policies to prevent misuse of third-party tools.
Source: https://therecord.media/github-restores-code-malicious-tj-actions-changes