Security researchers are warning of a supply chain attack against tj-actions/changed-files GitHub Action, which is used in more than 23,000 repositories.
A malicious commit was detected early Friday, resulting in a massive exposure of secrets, according to StepSecurity, which discovered the compromise.
The platform is widely used in the continuous integration/continuous delivery process and helps automate software development.
“This incident highlights the growing risks in software supply chains and the need for real time CI/CD security monitoring to detect and prevent such actions,” Varun Sharma, CEO of StepSecurity, said via email.
The incident is being tracked as CVE-2025-30066, which allows remote attackers to discover secrets by reading action logs.
Wiz Threat Research has identified dozens of repositories affected by the incident. This includes repos operated by large organizations.
Among the leaked CI/CD secrets are valid AWS access keys, GitHub personal access tokens, private RSA keys and other secrets.
The malicious update was quickly resolved, but now organizations will have to search for which software might have been using the malicious package, according to Jonathan Braley, director of threat intelligence at IT-ISAC.
“When an adversary gains control of an account that can push updates, things can get out of hand quickly,” Braley told Cybersecurity Dive via email. “Because some of these open-source projects can be used in hundreds and thousands of products, it is a big concern when one is breached and a malicious update is pushed.”
