Supply-chain attack exposing credentials affects 23K users of tj-actions
- A compromise of tj-actions/changed-files resulted in publicly accessible repositories displaying sensitive credentials in logs, which anyone could view.
- The tj-actions team confirmed the compromise occurred after a bot account was breached, though the motivation and identity of the attackers remain unknown.
- The compromised file copied the internal memory of servers, searched for credentials, and wrote them to a log.
- RunZero CEO and open-source security expert HD Moore stated that actions can modify the source code and access secret variables, emphasizing the potential dangers.
- Cybersecurity experts recommend an immediate response, including auditing repositories, rotating secrets, and finding alternatives to tj-actions/changed-files, as the compromise has been assigned CVE-2025-30066 with a high severity rating of 8.6.
22 Articles
22 Articles


Supply chain attack on popular GitHub Action exposes CI/CD secrets
A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs.
Supply Chain Compromise of Third-Party GitHub Action, CVE-2025-30066
Supply Chain Compromise of Third-Party GitHub Action, CVE-2025-30066 sneary Mar 18, 2025 Release DateMarch 18, 2025 DescriptionA popular third-party GitHub Action, tj-actions/changed-files (tracked as CVE-2025-30066), was compromised. This GitHub Action is designed to detect which files have changed in a pull request or commit. The supply chain compromise allows for information disclosure of secrets including, but not limited to, valid access …
Coverage Details
Bias Distribution
- 100% of the sources are Center
To view factuality data please Upgrade to Premium
Ownership
To view ownership data please Upgrade to Vantage