Security researchers are warning of a supply chain attack targeting the tj-actions/changed-files GitHub Action, which is used in over 23,000 repositories. The attack, discovered by StepSecurity, involved a malicious commit made early Friday, leading to the widespread exposure of sensitive data.
This GitHub Action is commonly used in the continuous integration/continuous delivery (CI/CD) process, which automates software development. The attack underscores the increasing risks in software supply chains and the critical need for real-time CI/CD security monitoring, according to Varun Sharma, CEO of StepSecurity.
The incident, tracked as CVE-2025-30066, enables remote attackers to extract secrets from action logs. Wiz Threat Research has identified dozens of affected repositories, including those operated by large organizations.
Among the leaked secrets are AWS access keys, GitHub personal access tokens, private RSA keys, and other sensitive data. Although the malicious update was quickly addressed, organizations must now determine which software may have used the compromised package, said Jonathan Braley, director of threat intelligence at IT-ISAC.
“This breach highlights the dangers of allowing adversaries to control accounts that push updates,” Braley told Cybersecurity Dive. “Given the widespread use of these open-source projects, a breach can quickly escalate.”
