Skip to content

23,000 GitHub Repositories at Risk: Critical Vulnerability Found in Popular GitHub Action!

In today’s world, software development processes are becoming increasingly automated. GitHub Actions is a convenient and efficient CI/CD tool for developers. However, a critical vulnerability was recently discovered in the popular “tj-actions/changed-files” GitHub Action, putting more than 23,000 repositories at risk.

This vulnerability has been assigned CVE-2025-30066, with a CVSS score of 8.6. Attackers modified the Action’s code, leading to the exposure of confidential user data.

According to security researchers at StepSecurity, attackers gained access to a Personal Access Token (PAT) used by the @tj-actions-bot on GitHub. Using this token, they modified the “tj-actions/changed-files” Action and injected malicious code into it.

They then updated the version tags of previous releases to point to the compromised code. This meant that any CI/CD workflow using this Action was at risk.

The malicious code extracted confidential data from memory during CI/CD execution and secretly uploaded it to GitHub Actions logs, encoded in Base64 format.

What Data Was Compromised?

🔹 GitHub Personal Access Tokens (PATs)
🔹 API tokens
🔹 NPM tokens
🔹 Private RSA keys

❗ If you used this Action between March 14 and March 15, 2025, your confidential data may have been exposed!

What Actions Did GitHub Take?

On March 15, GitHub removed the malicious code and restored the repository.
✅ In collaboration with StepSecurity, a patched and secure version was released.
✅ A fixed version of the Action, v46.0.1, was published to address the vulnerability.

What Do CISA and Security Experts Recommend?

🔹 Immediately rotate all compromised tokens and API keys.
🔹 Review CI/CD logs for any unexpected data leaks.
🔹 Instead of referencing version tags, use specific commit hashes.
🔹 Use only trusted GitHub Actions from verified sources.
🔹 Regularly scan your repository’s code and analyze logs for suspicious activity.

This incident once again highlights the growing threat of supply chain attacks. When using third-party tools, especially in CI/CD workflows, it is essential to follow strict security measures.

If you use GitHub Actions, check your repository settings, update your confidential data, and take immediate steps to strengthen security! 🔒