BleepingComputer reports only 218 GitHub repositories had their secrets leaked following the supply chain compromise aimed at the GitHub Action tj-actions/changed-files, tracked as CVE-2025-30066, which was initially noted to have impacted 23,000 projects.
Most of the exposed secrets were GitHub install action tokens but their 24-hour expiration has restricted exploitation opportunities, unlike Docker, npm, and AWS credentials also leaked by the GitHub repositories, according to an analysis from Endor Labs. Meanwhile, all of the other GitHub repositories believed to have been affected by the intrusion were protected by 'best-practice recommendations,' said Endor Labs researchers. "Some repositories followed best-practice recommendations and referenced the commit SHA instead of a mutable tag. Others were run before the attacker tampered with all of the version tags such that they point to the malicious commit," Endor Labs added. Despite the less severe than previously believed impact of the intrusion, GitHub Actions users have been urged to bolster file and folder access controls.
