CISA Warns of Supply-Chain Attack Exploiting GitHub Action Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm over a critical supply-chain attack affecting a widely used third-party GitHub Action: tj-actions/changed-files.

This action, exploited under CVE-2025-30066, is designed to identify changes in files during pull requests or commits.

However, its compromise poses a significant risk to users by allowing unauthorized access to sensitive information, including access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys.

Impact and Response

The vulnerability was deemed severe enough for CISA to add CVE-2025-30066 to its Known Exploited Vulnerabilities Catalog.

The agency is urging users to update their GitHub Actions to at least version 46.0.1 to mitigate the issue.

The compromise highlights the growing concern of supply-chain attacks, where targeting a single component can have far-reaching consequences across hundreds or thousands of organizations using the affected software.

CISA emphasizes the importance of implementing robust security measures when using third-party actions.

This includes vigilance in monitoring logs for any signs of unauthorized access and ensuring that all software components are kept up-to-date with the latest security patches.

Guidance and Resources

CISA provides several resources for organizations to address this vulnerability effectively:

• GitHub Documentation: Users can find detailed guidance on security hardening for GitHub Actions in the official GitHub documentation.
• Vendor Support: Specific details about the compromised action and its impact are available on the GitHub page for tj-actions/changed-files.
• Security Tools: Additional tools, such as Harden-Runner detection by StepSecurity and analysis by Wiz, offer insights into detecting and mitigating the attack.

This support ensures prompt action can be taken to protect against further exploitation.

The compromise of tj-actions/changed-files serves as a stark reminder of the importance of maintaining robust security practices in software development and deployment.

As the digital landscape continues to evolve, vigilance against such vulnerabilities is crucial for protecting sensitive information and maintaining trust in software supply chains.

Users must remain proactive in updating their systems and adhering to best security practices to safeguard against emerging threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.