Summary: A popular third-party GitHub Action, tj-actions/changed-files (tracked as CVE-2025-30066), was recently compromised. This GitHub Action is designed to detect which files have changed in a pull request or commit. The supply chain compromise allows for information disclosure of secrets including, but not limited to, valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. This has been patched in v46.0.1.
The compromise of tj-actions/changed-files was potentially due to a similar compromise of another GitHub Action, reviewdog/action-setup@v1 (tracked as CVE-2025-30154), which occurred around the same time.
Analyst Note: WaterISAC suggests members who may be affected to refer to CISA’s recent alert. Users are strongly recommended to implement the recommendations to mitigate this compromise and strengthen security when using third-party actions.
Original Source: https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066
Additional Reading:
CISA Warns of Active Exploitation in GitHub Action Supply Chain Compromise
Mitigation Recommendations:
- Security hardening for GitHub Actions
- tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs.
- tj-actions changed-files
Related WaterISAC PIRs: 6, 11
