CyberSecurityBoard
Sponsor Register Login

GitHub restores code following malicious changes to tj-actions tool | The Record from Recorded Future News

On Friday, cybersecurity firm StepSecurity warned of a security incident impacting the tj-actions/changed-files GitHub Action, a popular tool used to track file changes and trigger other actions depending on those alterations. Mureinik told Recorded Future News that a GitHub Action is ultimately a piece of software, and like any piece of software there are solutions to ensure that the version being used is patched and up to date. The bug, referred to as CVE-2025-30066, allowed remote attackers to expose Continuous Integration and Continuous Deployment (CI/CD) secrets through the action’s build logs and impacts any users who rely on the tj-actions/changed-files action to track changed files within a pull request. “While it may be tempting to shrug all these considerations off as ‘the platform’s problem,’ the responsibility to ensure the security of a software project lies with those who build it, whether it’s built locally or by using a third-party service like GitHub,” Mureinik said. “Security professionals must audit their repositories for usage of the compromised Action and replace or remove it entirely, rotating all potentially exposed secrets including AWS keys, GitHub PATs, npm tokens, and RSA keys,” he said. GitHub was forced to take action this weekend to help users after a threat actor compromised a popular open source package used by more than 23,000 organizations. If logs are publicly accessible, such as in public repositories, unauthorized users could access and retrieve the clear text secrets, experts at Aqua Security explained. A spokesperson told Recorded Future News that there is no evidence to suggest a compromise of GitHub or its systems. Several experts who spoke to Recorded Future News said GitHub’s CI/CD ecosystem is a high-value target for hackers seeking to inject malicious code. According to StepSecurity, the attackers modified code in tj-actions/changed-files that affected public repositories and leaked secrets in logs. Users should always review GitHub Actions or any other package that they are using in their code before they update to new versions. Others, like Salt Security director Eric Schwake, noted that the incident was a prime example of why security teams must stay concerned about widely used and seemingly harmless tools being misused as vectors for attack.

This Cyber News was published on therecord.media. Publication date: Mon, 17 Mar 2025 20:40:26 +0000


Cyber News related to GitHub restores code following malicious changes to tj-actions tool | The Record from Recorded Future News

GitHub restores code following malicious changes to tj-actions tool | The Record from Recorded Future News - On Friday, cybersecurity firm StepSecurity warned of a security incident impacting the tj-actions/changed-files GitHub Action, a popular tool used to track file changes and trigger other actions depending on those alterations. Mureinik told Recorded ...
3 weeks ago Therecord.media CVE-2025-30066
CVE-2023-30853 - Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts GitHub workflows using the Gradle Build Action prior to version 2.4.2 that have executed the Gradle Build Tool with the configuration ...
1 year ago
Securing the code: navigating code and GitHub secrets scanning - Enter the world of GitHub secrets scanning tools, the vigilant sentinels of your digital gala. Secrets scanning in GitHub is anchored by two fundamental strategies: proactive prevention and reactive detection, each serving a critical function in ...
1 year ago Securityboulevard.com
Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over - Takedown of malware infrastructure by law enforcement has proven to have an impact, albeit limited, on cybercriminal activity, according to threat intelligence provider Recorded Future. The Emotet takedown, led by Europol and Eurojust in 2021. The ...
1 year ago Infosecurity-magazine.com
'Sex life data' stolen from UK government among record number of ransomware attacks - Data on the sex lives of up to 10,000 people was stolen from a British government department in one of the record number of ransomware attacks to have hit Westminster in the first half of this year. It is not known which department the information ...
1 year ago Therecord.media
GitHub, PyTorch and More Organizations Found Vulnerable to Self-Hosted Runner Attacks - Last July, we published an article exploring the dangers of vulnerable self-hosted runners and how they can lead to severe software supply chain attacks. GitHub itself was found vulnerable, as well as various notable organizations, such as PyTorch, ...
1 year ago Securityboulevard.com
Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning - Our structured query language (SQL) injection detection model detected triggers containing unusual patterns that did not correlate to any known open-source or commercial automated vulnerability scanning tool. We have tested all malicious payloads ...
6 months ago Unit42.paloaltonetworks.com
CVE-2021-32724 - check-spelling is a github action which provides CI spell checking. In affected versions and for a repository with the [check-spelling action](https://github.com/marketplace/actions/check-spelling) enabled that triggers on `pull_request_target` (or ...
3 years ago
Security Experts Urge IT to Lock Down GitHub Services - Threat intelligence firm Recorded Future has warned that threat actors are increasingly using GitHub services to launch covert cyber-attacks, and urged IT teams to take action. Its new report, Flying Under the Radar: Abusing GitHub for Malicious ...
1 year ago Infosecurity-magazine.com
12 Software Dev Predictions for Future - Predicting the future of software development trends is always a tough call. Such trends will also rule the future of the software development industry. Analyzing these future software development trends will put enthusiasts ahead of the competition. ...
1 year ago Feeds.dzone.com
GitHub code-signing certificates stolen - Another day, another access-token-based database breach. This time, the victim is Microsoft's GitHub business. On December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised ...
2 years ago Nakedsecurity.sophos.com
US to sign Pall Mall pact aimed at countering spyware abuses | The Record from Recorded Future News - The announcement comes nearly a week after 21 countries signed a voluntary and non-binding Code of Practice outlining how they intend to jointly regulate commercial cyber intrusion capabilities (CCICs) and combat spyware companies whose products have ...
2 days ago Therecord.media
APT Hackers Abusing GitHub - Hackers use GitHub to access and manipulate source code repositories. GitHub hosts open-source projects, and unauthorized access allows hackers to inject malicious code, steal sensitive information, and exploit vulnerabilities in software development ...
1 year ago Cybersecuritynews.com
Supply chain attack on popular GitHub Action exposes CI/CD secrets - As first reported by StepSecurity, attackers added a malicious commit to the tool on March 14, 2025, at 4:00 PM UTC, that dumped CI/CD secrets from the Runner Worker process to the repository of any projects using the action. As a result, if ...
3 weeks ago Bleepingcomputer.com
10 Best Ransomware File Decryptor Tools in 2025 - Kaspersky Rakhni Decryptor contains different decryption tools based on various versions of Rakhni ransomware and helps you decrypt encrypted files on your system. PyLocky Ransomware Decryption Tool is a free and open source developed and released by ...
6 days ago Cybersecuritynews.com
APT32 Hackers Weaponizing GitHub to Attack Cybersecurity Professionals & Enterprises - The malware, detected by ThreatBook analysts as Trojan.CobaltGate, employs a multi-stage infection chain beginning with socially engineered GitHub repositories posing as legitimate penetration testing tools. This technique allows the malware to blend ...
1 day ago Cybersecuritynews.com APT3 APT32
AI-Powered Russian Network Pushes Fake Political News - Media organizations including Al-Jazeera, Fox News, the BBC, La Croix and TV5Monde are among those impacted. Sometimes legitimate sites are spoofed and hosted on alternative domains such as bbc-uk[. News, while on other occasions, stories are ...
11 months ago Infosecurity-magazine.com
CVE-2021-32638 - Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token ...
2 years ago
Stolen credentials could unmask thousands of darknet child abuse website users - Thousands of people with accounts on darknet websites for sharing child sexual abuse material could be unmasked using information stolen by cybercriminals, according to research published Tuesday. In a proof-of-concept report, researchers at Recorded ...
9 months ago Therecord.media
British company Advanced fined £3m by privacy regulator over ransomware attack | The Record from Recorded Future News - His comments followed a series of ransomware incidents affecting the healthcare sector last year, including one in which every single household in the Scottish region of Dumfries and Galloway received a letter warning residents that their data was ...
2 weeks ago Therecord.media LockBit
Tensorflow Supply Chain Compromise via Self-Hosted Runner Attack - Let's say TensorFlow wants to run a set of tests when a GitHub user submits a pull request. TensorFlow can define these tests in a yaml workflow file, used by GitHub Actions, and configure the workflow to run on the `pull request` trigger. One type ...
1 year ago Securityboulevard.com
Top 30 Best Penetration Testing Tools - 2025 - The tool supports various protocols and offers advanced filtering and analysis capabilities, making it ideal for diagnosing network issues, investigating security incidents, and understanding complex network interactions during penetration testing. ...
1 week ago Cybersecuritynews.com
CodeQLEAKED - GitHub Supply Chain Attack Allows Code Execution Using CodeQL Repositories - “If an attacker removed and then added a v3 tag to their malicious commit, every single repository using the default CodeQL workflow would execute their malicious code,” explained the researcher in their report. A significant ...
2 weeks ago Cybersecuritynews.com CVE-2025-24362
Renewable Energy Technology: Powering the Future - Engage in the discussion on how renewable energy technology is set to revolutionize our world and reshape the energy landscape for future generations. From rooftop solar panels to large solar farms, this renewable technology is leading us towards ...
1 year ago Securityzap.com
1 Million Devices Infected by Malwares Hosted on GitHub, Microsoft Warns - Microsoft Threat Intelligence detected a large-scale malvertising campaign in early December 2024 that infected nearly one million devices globally in an opportunistic attack designed to steal information. The second-stage payload conducted system ...
1 month ago Cybersecuritynews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)