A popular GitHub Action used in more than 23,000 code repositories has been compromised in a supply chain attack by attackers who introduced a malicious commit aimed at leaking secrets like passwords held in public repositories.
In the compromise, which is being tracked as CVE-2025-30066, bad actors modified the code in GitHub Actions tj-actions/changed-files – which is used by repositories to track change files – by injecting a Node.js function that includes base64-encoded instructions that download a malicious Python script that scans the memory of GitHub Runner, which runs jobs from a GitHub Actions workflow.
GitHub Runner’s memory holds passwords and other credentials used in the continuous integration and continuous delivery (CI/CD) pipeline.
“The compromised Action prints CI/CD secrets in GitHub Actions build logs. If the workflow logs are publicly accessible (such as in public repositories), anyone could potentially read these logs and obtain exposed secrets,” Varun Sharma, co-founder and CEO of startup StepSecurity, wrote in a report.
The Compromise is Found
StepSecurity was the first to uncover the compromise, which Sharma said started early March 14.
Cybersecurity firm Sysdig noted that after the Node.js function is inserted into the action, the base64 payload decodes to show a script that downloads additional Python code from a Github gist and the Python script identifies the GitHub Runner’s, opens the memory mappings, and searches for credentials using regular expressions.
“The results are output and stored within the GitHub Action build logs,” Sysdig threat researcher Michael Clark wrote. “The attackers must have access to these logs to extract the secrets.”
Code Repositories as Targets
This was the latest attack on a code repository, with GitHub and others – such as the Python Package Index (PyPI) and npm – becoming popular targets of threat actors, who put malicious code into developer packages that is then spread downstream when companies unknowingly install it.
It’s that wide reach that makes sources of software used across large numbers for applications systems the most desirable attack surfaces, according to Mitch Ashley, vice president and practice lead for DevOps and application development at The Futurum Group.
“These attacks on open source, repositories, libraries, package managers and container images are why DevSecOps has progressed from application security to software supply chain security,” Ashley told DevOps.
In the attack on GitHub Actions, the “code repository that monitors file changes served as the payload delivery system for nefarious code that read memory and data, sending that information back to the attackers,” Ashley said. “By pulling and building infected software from the repo and executing infected code, it opened that user’s information to the attackers.”
A Lot of Compromise, Some Leaks
According to StepSecurity’s Sharma, most of the versions of tj-actions/changed-files were compromised, adding a number of public repositories leaked secrets in build logs. GitHub took quick actions when the problem was detected, including shutting down the tj-actions/changed-files Action. According to Sharma, the repository later on March 15 was restored, with none of the versions including the malicious exploit code.
Threat intelligence researchers are still sorting out how the campaign worked or who was behind it, though tj-actions maintainers wrote that it appears it was the result of a compromised GitHub personal access token (PAT) that was used by @tj-actions-bot, a bot that had privileged access to the repository.
Repairs Underway
The maintainers said that after the problem was detected, the compromised PAT was revoked, the password for the tj-actions-bot account was updated, and access to the account now only uses the minimum necessary permissions. In addition, now requires a passkey.
Researchers with cybersecurity startup Wiz wrote that the primary risk of the compromise is to public repositories, where the secrets are dumped into workflow logs are also public, adding that “the risk to private repos is limited.”
Threat hunting by Wiz researchers identified dozens of repositories affected by the malicious GitHub Action, including repositories run by large organizations.
“In these repositories, the malicious payload successfully executed and caused secrets to leak in workflow logs,” they wrote. “Some of the leaked secrets we’ve identified so far include valid AWS access keys, GitHub Personal Access Tokens (PATs), npm pokens, private RSA Keys and more.”
More Than Secrets
Dimitri Stiliadis, co-founder and CTO at Endor Labs, said that the bad actor had bigger goals than simply accessing secrets.
“The attacker was likely not looking for secrets in public repositories — they are already public,” Dimitri Stiliadis, co-founder and CTO at Endor Labs, wrote in a blog post outlining the risks. “They were likely looking to compromise the software supply chain for other open source libraries, binaries, and artifacts created with this. Any public repository that creates packages or containers as part of a CI pipeline could have been impacted. That means potentially 1,000s of open source packages have the potential to have been compromised.”
The security vendors identified a range of actions organizations should take, including running a code search across repositories, reviewing logs for recent executions of the GitHub Action, and rotating secrets in GitHub Actions workflow run logs. They also should consider alternatives to GitHub Action.