This incident serves as a critical reminder of the importance of implementing robust security practices when utilizing third-party code in CI/CD pipelines, especially as supply chain attacks continue to target trusted development tools. “CISA has urged Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by April 8, 2025, in light of active exploitation,” according to security reports. CISA warns of a critical vulnerability affecting the popular GitHub Action “tj-actions/changed-files” to its Known Exploited Vulnerabilities Catalog. Security researchers at StepSecurity first detected the compromise on March 14, 2025, after observing suspicious activity in the GitHub Action’s repository. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The malicious activity began around March 14, 2025, and GitHub took swift action by removing the compromised Action on March 15. The attack targeted the “tj-actions/changed-files” GitHub Action, which is intended to detect files modified in pull requests or commits. The supply chain attack, tracked as CVE-2025-30066 with a CVSS score of 8.6, potentially exposed sensitive CI/CD secrets from over 23,000 repositories that utilize this widely adopted automation tool. The vulnerability allowed attackers to extract sensitive information, including API tokens, GitHub PATs, npm tokens, and private RSA keys from workflow logs. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. They subsequently injected malicious code into the Action and retroactively updated multiple version tags to reference the compromised commit. She is covering various cyber security incidents happening in the Cyber Space.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 19 Mar 2025 11:55:23 +0000