GitHub Actions in Your Workflows Could Leak Data and information

A new security issue has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known risks. The problem comes from a flaw in the tj-actions/changed-files GitHub Action that lets hackers sneak in bad code. The vulnerability is marked as CVE-2025-30066 with a high risk score of 8.6, and it can allow attackers to grab sensitive information by reading log files.

You might be interested in: Fake Browser Extensions That Steal Login Info

What Happened

According to CISA, the tj-actions/changed-files Action has a hidden weakness that lets remote attackers view secrets by looking at the logs. These secrets could include AWS keys, GitHub tokens, npm tokens, and private RSA keys. Security firm Wiz has pointed out that this may be part of a chain attack. It appears that attackers first broke into the reviewdog/action-setup@v1 GitHub Action before moving on to compromise tj-actions/changed-files. Wiz researcher Rami McCarthy noted that the breach in reviewdog happened around the same time as the compromised GitHub token in tj-actions.

The incident is believed to have started on March 11, 2025, with the malicious changes being made sometime before March 14, 2025.

How the Attack Worked

The infected reviewdog Action could inject harmful code into any workflow that uses it. In this case, the attack added a hidden Base64-encoded payload to a file named install.sh, which then exposed secret data in the logs. Only the v1 version of reviewdog/action-setup is affected by this issue.

Furthermore, the maintainers of tj-actions explained that attackers used a stolen GitHub Personal Access Token (PAT) to make unauthorized changes. This allowed them to update the v1 tag with the harmful code from a forked version of the repository.

Security Advice and Next Steps

Users and federal agencies are urged to update their tj-actions/changed-files to version 46.0.1 by April 4, 2025, to protect against current threats. In addition to upgrading, it is important to:

• Check past workflows for any unusual or suspicious activity.
• Change any secrets that might have been exposed.
• Pin GitHub Actions to specific commit hashes rather than using version tags to reduce future risks.

Taking these steps will help secure your systems, although the root issue means there is still a chance of similar attacks in the future.