The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a vulnerability linked to the supply chain compromise of the GitHub Motion, tj-actions/changed-files, to its Identified Exploited Vulnerabilities (KEV) catalog.
The high-severity flaw, tracked as CVE-2025-30066 (CVSS rating: 8.6), includes the breach of the GitHub Motion to inject malicious code that permits a distant attacker to entry delicate information through actions logs.
“The tj-actions/changed-files GitHub Motion comprises an embedded malicious code vulnerability that permits a distant attacker to find secrets and techniques by studying actions logs,” CISA said in an alert.
“These secrets and techniques might embody, however are usually not restricted to, legitimate AWS entry keys, GitHub private entry tokens (PATs), npm tokens, and personal RSA keys.”
Cloud safety firm Wiz has since revealed that the assault might have been an occasion of a cascading provide chain assault, with unidentified menace actors first compromising the reviewdog/action-setup@v1 GitHub Motion to infiltrate tj-actions/changed-files.
“tj-actions/eslint-changed-files makes use of reviewdog/action-setup@v1, and the tj-actions/changed-files repository runs this tj-actions/eslint-changed-files Motion with a Private Entry Token,” Wiz researcher Rami McCarthy said. “The reviewdog Motion was compromised throughout roughly the identical time window because the tj-actions PAT compromise.”
It is at present not clear how this passed off. However the compromise is alleged to have occurred on March 11, 2025. The breach of tj-actions/changed-files occurred in some unspecified time in the future earlier than March 14.
Which means that the contaminated reviewdog motion may very well be used to insert malicious code into any CI/CD workflows utilizing it, on this case a Base64-encoded payload that is appended to a file named set up.sh utilized by the workflow.
Like within the case of tj-actions, the payload is designed to show secrets and techniques from repositories operating the workflow in logs. The problem impacts just one tag (v1) of reviewdog/action-setup.
The maintainers of tj-actions have disclosed that the assault was the results of a compromised Github Private Entry Token (PAT) that enabled the attackers to switch the repository with unauthorized code.
“We will inform the attacker gained ample entry to replace the v1 tag to the malicious code they’d positioned on a fork of the repository,” McCarthy stated.
“The reviewdog Github Group has a comparatively giant contributor base and seems to be actively including contributors by means of automated invitations. This will increase the assault floor for a contributor’s entry to have been compromised or contributor entry to have been gained maliciously.”
In gentle of the compromise, affected customers and federal businesses are suggested to replace to the most recent model of tj-actions/changed-files (46.0.1) by April 4, 2025, to safe their networks towards energetic threats. However given the foundation trigger, there’s a threat of re-occurrence.
In addition to changing the affected actions with safer alternate options, it is suggested to audit previous workflows for suspicious exercise, rotate any leaked secrets and techniques, and pin all GitHub Actions to particular commit hashes as a substitute of model tags.
