Here is the rewritten content without changing its meaning, retaining the original length, and keeping proper headings and titles:
The United States Cybersecurity and Infrastructure Security Agency (CISA) recently added a vulnerability related to the supply chain compromise of the GitHub Action, tj-actions/changed-files, to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday.
The high-severity vulnerability, tracked as CVE-2025-30066 (CVSS score: 8.6), involves the breach of the GitHub Action to inject malicious code, enabling a remote attacker to access sensitive data via actions logs.
According to CISA, “The tj-actions/changed-files GitHub Action contains an embedded malicious code vulnerability that allows a remote attacker to discover secrets by reading actions logs,” as stated in an alert.
“These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys,” the alert further stated.
Wiz, a cloud security company, has revealed that the attack may have been an instance of a cascading supply chain attack, where unidentified threat actors first compromised the reviewdog/action-setup@v1 GitHub Action to infiltrate tj-actions/changed-files.
As explained by Wiz researcher Rami McCarthy, “tj-actions/eslint-changed-files uses reviewdog/action-setup@v1, and the tj-actions/changed-files repository runs this tj-actions/eslint-changed-files Action with a Personal Access Token. The reviewdog Action was compromised during roughly the same time window as the tj-actions PAT compromise.”
Although the exact method of compromise is currently unclear, it is confirmed to have occurred on March 11, 2025, with the breach of tj-actions/changed-files happening before March 14.
This incident means that the infected reviewdog action could be used to insert malicious code into any CI/CD workflows using it, specifically a Base64-encoded payload appended to a file named install.sh used by the workflow.
Similar to the case of tj-actions, the payload is designed to expose secrets from repositories running the workflow in logs. However, the issue only affects one tag (v1) of reviewdog/action-setup.
The maintainers of tj-actions have disclosed that the attack was the result of a compromised GitHub Personal Access Token (PAT) that enabled the attackers to modify the repository with unauthorized code.
According to McCarthy, “We can tell the attacker gained sufficient access to update the v1 tag to the malicious code they had placed on a fork of the repository.”
“The reviewdog GitHub Organization has a relatively large contributor base and appears to be actively adding contributors through automated invites. This increases the attack surface for a contributor’s access to have been compromised or contributor access to have been gained maliciously,” McCarthy added.
In response to the compromise, affected users and federal agencies are advised to update to the latest version of tj-actions/changed-files (46.0.1) by April 4, 2025, to secure their networks against active threats. However, given the root cause, there is a risk of re-occurrence.
Aside from replacing the affected actions with safer alternatives, it’s recommended to audit past workflows for suspicious activity, rotate any leaked secrets, and pin all GitHub Actions to specific commit hashes instead of version tags.
