While developers were busy shipping code, a major security breach was silently unfolding in one of GitHub’s most popular actions. The tj-actions/changed-files action, used by over 23,000 repositories, was compromised on March 15, 2025. Not a small deal.
Hackers could potentially modify the action’s code and retroactively update multiple version tags to reference a malicious commit. If successful, every version through v45.0.7 might be affected. The attackers could target the Runner.Worker process memory, executing a Python script designed to dump CI/CD secrets—a classic supply chain attack with a twist.
These wouldn’t just be average secrets getting exposed. AWS keys, GitHub tokens, NPM tokens could all end up in workflow logs. For public repositories, these secrets might be visible to anyone paying attention. To avoid detection, attackers could even obfuscate them as double-encoded base64 payloads. Sneaky.
Sensitive cloud credentials exposed in plain sight, hidden in plain sight as base64 gibberish for anyone curious enough to look.
The vulnerability was assigned CVE-2025-30066. Too little, too late for many.
he potential fallout? Massive. Organizations could face credential theft, CI pipeline compromises, and exposure of cloud production environments. Internal source code repositories might also be at risk. In such a scenario, enterprise organizations would likely scramble to contain the damage. Security awareness training could help teams identify suspicious activity in their workflow logs before a breach escalates.
To effectively mitigate the high-severity vulnerability CVE-2025-30066 affecting the widely used GitHub Action tj-actions/changed-files, organizations must implement a comprehensive response strategy. The vulnerability requires immediate attention due to its CVSS score of 8.6. Organizations should first immediately update to version 45.0.8 or later to eliminate the vulnerability from their CI/CD pipelines. For repositories that executed workflows using this action between March 12-15, 2025, all secrets should be considered compromised and rotated immediately, with public repositories being the highest priority. It is advisable to download workflow logs for forensic analysis before deleting compromised workflows to prevent further exposure5. Organizations should also remove all references to the vulnerable action across all branches, not just the main branch5. As a preventative measure for future supply chain attacks, GitHub Actions should be pinned to specific commit hashes rather than version tags5. Additionally, implementing GitHub’s allow-listing feature to restrict execution to only trusted actions and conducting a thorough audit of past workflow runs for suspicious activity will further strengthen security posture5. For temporary mitigation, if immediate updates aren’t possible, organizations can implement stricter access controls to their action logs while preparing for a complete remediation4.
