GitHub Security Alert: Malicious Code Discovered in Popular Action Affecting Thousands of Repositories
A significant security vulnerability has been identified in the GitHub Action ‘tj-actions/changed-files,’ which has implications for over 23,000 repositories. This issue was brought to light by StepSecurity’s CI/CD security solution, Harden-Runner, drawing attention to the potential risks posed to continuous integration and deployment (CI/CD) pipelines.
The vulnerability, cataloged as CVE-2025-30066, was present in all versions of the affected Action. This tool facilitates the identification of files that are modified within pull requests or commits, enabling development teams to automate processes such as testing and deployment based on specific file changes. Thus, its compromised status poses a substantial risk to the efficiency of CI/CD workflows, as it may allow remote attackers to access sensitive information through action logs.
Upon investigation, the malicious code was found to target the Runner.Worker process, potentially allowing exploitation of secrets, passwords, and authentication tokens disclosed during CI/CD executions. This exposure could lead to unauthorized access to critical internal systems and services, especially since sensitive information could have been made publicly available due to the vulnerability.
The timeline of this breach began on March 14, when a malicious commit, disguised as a standard Dependabot update, was incorporated into the code. Following this, all Action tags were redirected to the compromised commit, exposing a considerable number of repositories to risk. The community quickly identified suspicious activities linked to the Action, which included the exfiltration of environment variables and secrets.
In response to the growing concern, the compromised repository was taken offline within approximately twelve hours of the community’s alerts, thus halting the further spread of the malicious code. While it is unclear who initiated the takedown, the repository was reactivated on March 16 after the malicious commit was removed. Unfortunately, by this stage, an estimated 23,000 repositories had already been compromised.
The widespread usage of this Action, particularly in public repositories with GitHub Actions enabled, amplified the potential impact of the breach. The maintainer of tj-actions attributed the incident to the compromise of a personal access token (PAT) belonging to a GitHub bot that had repository access, underscoring the vulnerabilities in credential management.
GitHub has since responded by removing the affected Action from their platform, urging users to look for alternative solutions. However, this action may disrupt existing CI pipelines, especially for those relying on non-cached versions of the compromised Action.
For organizations utilizing Endor Labs, specific guidance on mitigating risks associated with the breach has been provided. Users have been advised to analyze dependencies for the tj-actions Action and perform CI scans to identify vulnerable repositories. Furthermore, they are encouraged to review GitHub logs for any suspicious activity and rotate sensitive credentials.
Beyond users of Endor Labs, all organizations are encouraged to take precautionary measures. This includes reviewing workflows for the compromised Action, eliminating it from all branches, and auditing previous CI workflows for potential compromises. Such vigilance is essential to safeguard against threats to the software supply chain, which may encompass a wide array of open-source libraries and binaries affected by this incident.
In examining the tactics employed in this breach through the lens of the MITRE ATT&CK framework, techniques such as initial access via credential dumping and exploitation of public repositories illustrate the risks of inadequate security measures. These tactics underscore the necessity for robust monitoring and incident response strategies to fortify defenses in the face of evolving cyber threats.
