More than 23,000 GitHub repositories had their secrets leaked following a high-severity supply chain compromise aimed at the GitHub Action tj-actions/changed-files, tracked as CVE-2025-30066, The Hacker News reports.
Manipulation of the action's code, which was intended to show file changes within a repository, to reflect the malicious commit instead has exposed GitHub Personal Access Tokens, Amazon Web Services access keys, private RSA keys, npm tokens, and other sensitive secrets, according to a report from StepSecurity.
Such an attack has since prompted the implementation of a new password, passkey authentication, and least privilege principles for permissions, as well as the revocation of the impacted PAT.
"Going forward no PAT would be used for all projects in the tj-actions organization to prevent any risk of reoccurrence," said maintainers, who urged immediate upgrades to version 46.0.1 of the GitHub Action.
Meanwhile, the compromise was regarded by Sysdig to be indicative of escalating supply chain attack risks against CI/CD environments.
