Monday, May 5, 2025
HomeCyber AttackSupply Chain Attack Targets 23,000 GitHub Repositories

Supply Chain Attack Targets 23,000 GitHub Repositories

Published on

SIEM as a Service

Follow Us on Google News

A critical security incident has been uncovered involving the popular GitHub Action tj-actions/changed-files, which is used in over 23,000 repositories.

The attack involves a malicious modification of the Action’s code, leading to the exposure of CI/CD secrets in GitHub Actions build logs.

This vulnerability was detected by StepSecurity’s Harden-Runner, a tool designed to secure CI/CD workflows by monitoring network activities and controlling access on GitHub-hosted and self-hosted runners.

- Advertisement - Google News

The compromised Action executes a malicious Python script that dumps sensitive data from the GitHub Actions runner’s memory.

The exploit specifically targets Linux environments, where it attempts to extract secrets by reading the memory of the Runner Worker process.

The malicious code was introduced through a retroactive update of multiple version tags, all pointing to the same malicious commit hash.

This sophisticated attack strategy allowed the attackers to compromise most versions of the Action without immediately raising suspicion.

Incident Timeline

The incident began on March 14, 2025, and was quickly identified by StepSecurity’s anomaly detection capabilities.

By March 15, GitHub had removed the compromised Action, preventing further use in workflows.

However, the repository was later restored with all versions updated to exclude the malicious code.

To mitigate the impact, StepSecurity released a secure drop-in replacement for the compromised Action, recommending that users replace all instances of tj-actions/changed-files with step-security/changed-files.

Response

The attack highlights the risks associated with supply chain vulnerabilities in open-source software.

While there is no evidence that leaked secrets were exfiltrated to remote networks, public repositories are particularly vulnerable as their build logs are accessible to anyone.

Users are advised to review recent workflow logs for signs of leaked secrets and rotate these secrets immediately if found.

An official CVE (CVE-2025-30066) has been published to track this incident, emphasizing the need for proactive security measures in CI/CD pipelines.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site...

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...

Researcher Uses Copilot with WinDbg to Simplify Windows Crash Dump Analysis

A researcher has unveiled a novel integration between AI-powered Copilot and Microsoft's WinDbg, dramatically...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site...

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...