A significant cybersecurity incident was reported concerning the tj-actions/changed-files GitHub Action, widely used in CI/CD processes across over 23,000 repositories. The action was compromised, allowing attackers to leak sensitive secrets, including AWS access keys and GitHub PATs, by modifying the action's code and retroactively tagging versions. This incident, classified with CVE-2025-30066 (CVSS 8.6), suggests serious risks to repository security, although no evidence indicates that the leaked secrets were used maliciously. Measures have since been taken to secure the repository and mitigate risks.
In this attack, the attackers modified the action's code and retroactively updated multiple version tags to reference the malicious commit, printing CI/CD secrets in GitHub Actions build logs.
This includes AWS access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA Keys, among others, posing risks of unauthorized exposure.
Collection
[
|
...
]