The Cybersecurity and Infrastructure Security Agency (CISA) on March 18 added a high-severity bug in GitHub Action tj-actions/changed files to its Known Exploited Vulnerabilities (KEV) catalog.
Security researchers from Wiz first pointed to the issue — CVE-2025-30066 — in a March 17 blog post, in which they reported that a supply chain attack on tj-actions/changed files caused many GitHub repos to leak their secrets over the previous weekend.
Darren Meyer, security research advocate at Checkmarx, wrote in a March 18 blog that the compromise caused sensitive information to leak into run logs, information that's accessible to anyone with “read” access to a repository.
Meyer wrote that security teams that have public repositories that use one of the compromised actions should assume that any secrets used in GitHub Workflows for those repos have been leaked and should be rotated.
“Remove public access temporarily, remove or replace the affected actions with safe alternatives, rotate affected secrets, and restore public access once remediation is complete,” wrote Meyer.
Essentially, GitHub Action runs as a continuous integration and continuous delivery (CI/CD) service that lets developers automate software builds and tests. Workflows are triggered by specific events, such as when new code gets committed to the repository. A malicious commit in the Action was discovered in which attackers modified its code and retroactively updated multiple version tags to reference the malicious commit.
According to CISA, the malicious code can let a remote attacker discover secrets by reading these action logs. The secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens, npm tokens, and private RSA keys.
“Once primarily the domain of sophisticated nation-states, these supply chain attacks, as with other TTPs in the past, are increasingly proliferating to non-state actors as the technical and economic limitations on the attacks diminish,” said Joe Silva, chief executive officer at Spektion. “The proliferation of these attacks and the overall degraded trust they create in the software ecosystem makes it more important than ever that organizations have run-time visibility into software risk, rather than rely on disclosures/CVEs or detection of attacks after impacted software has already been exploited."
David Stuart, cybersecurity evangelist at Sentra, added that the attack on GitHub underscores the critical need for better protection against data leakage and misconfiguration in code repositories. Stuart said preventing data loss — whether through overexposure, misconfigurations, or the accidental inclusion of sensitive information like passwords and secrets — requires a proactive approach.
“Organizations should focus on two areas: strengthening data posture management to identify and protect sensitive data before exposure occurs, and continuously monitoring for threats targeting data stores where valuable intellectual property or credentials may reside,” said Stuart. “By taking these steps, companies can reduce the risk of sensitive data falling into the wrong hands.”
