Published 18 days ago • loading... • Updated 15 days ago

Supply-chain attack exposing credentials affects 23K users of tj-actions

A compromise of tj-actions/changed-files resulted in publicly accessible repositories displaying sensitive credentials in logs, which anyone could view.
The tj-actions team confirmed the compromise occurred after a bot account was breached, though the motivation and identity of the attackers remain unknown.
The compromised file copied the internal memory of servers, searched for credentials, and wrote them to a log.
RunZero CEO and open-source security expert HD Moore stated that actions can modify the source code and access secret variables, emphasizing the potential dangers.
Cybersecurity experts recommend an immediate response, including auditing repositories, rotating secrets, and finding alternatives to tj-actions/changed-files, as the compromise has been assigned CVE-2025-30066 with a high severity rating of 8.6.

Insights by Ground AI

Does this summary seem wrong?

22 Articles

All

Left

Center

Right

The Register

Center

GitHub supply chain attack spills secrets from 23K projects

: Large organizations among those cleaning up the mess

16 days ago

Read Full Article

BleepingComputer

Reposted by

cybernoz.com

Center

Supply chain attack on popular GitHub Action exposes CI/CD secrets

A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs.

16 days ago

Read Full Article

Ars Technica

Center

Supply-chain attack exposing credentials affects 23K users of tj-actions

tj-actions/changed-files, corrupted to run credential-stealing memory scraper.

17 days ago·United States

Read Full Article

cisa.gov

Supply Chain Compromise of Third-Party GitHub Action, CVE-2025-30066

Supply Chain Compromise of Third-Party GitHub Action, CVE-2025-30066 sneary Mar 18, 2025 Release DateMarch 18, 2025 DescriptionA popular third-party GitHub Action, tj-actions/changed-files (tracked as CVE-2025-30066), was compromised. This GitHub Action is designed to detect which files have changed in a pull request or commit. The supply chain compromise allows for information disclosure of secrets including, but not limited to, valid access …

15 days ago

Read Full Article

ChannelNews

Attack on GitHub's supply chain unveils the content of 23,000 projects

Any project using GitHub's tj-action/changed-files would be compromised since last week, according to cybersecurity specialist StepSecurity. However, more than 23,000 GitHub repositories currently use the automation project code. Among the development secrets likely to leak: API keys, passwords or access chips. This high vulnerability [...] The post An attack on GitHub's supply chain reveals the contents of 23,000 projects appeared first on Chan…

16 days ago

Read Full Article

Information Security Buzz

GitHub Leak Puts Software Supply Chains At Risk: Thousands Of Secrets Exposed

Over 23,000 organizations may be at risk following a supply chain attack affecting tj-actions/changed-files GitHub Action, say researchers at StepSecurity. GitHub Actions is a CI/CD service that allows developers to automate software builds and testing. Workflows run in response to specific events, such as committing new code to a repository. With adoption in over 23,000 [...]

16 days ago

Read Full Article

Think freely.Subscribe and get full access to Ground NewsSubscriptions start at $9.99/year