GitHub Action compromise linked to previously undisclosed attack

GitHub Action compromise linked to previously undisclosed attack

Dive Brief:

  • The GitHub Action supply chain compromise that threatened the security of more than 23,000 repositories appears to be linked to a previously undisclosed attack against a second entity last week, according to security researchers and federal authorities. 
  • The previously disclosed compromise of tj-actions/changed files appears to be related to March 11 attack against reviewdog/action-setup/v1, which is being tracked as CVE-2025-30154. The tj-actions/changed files compromise, tracked as CVE-2025-30066, took place between March 14-15 and led to secrets being leaked, according to the Cybersecurity and Infrastructure Security Agency
  • CISA added CVE-2025-30066 to its known exploited vulnerabilities catalog and asked organizations to report any anomalous activity or confirmed incidents to its 24/7 operations center. 

Dive Insight:

The tj-actions/changed files incident was traced to the compromise of a personal access token, which linked to the @tj-actions-bot account that was used by the maintainer, Step Security said in a recent blog post. As a result, a malicious Python script began to dump continuous integration/continuous delivery secrets from the Runner World process, according to Step Security. 

Researchers from Endor Labs said about 218 repositories leaked secrets linked to the tj-actions/changed files compromise. The majority of those secrets were Github_Tokens, which generally expire after completion of a workflow. 

The compromise of reviewdog/action-setup/v1 was discovered after security researcher Adnan Khan posted information on X and researchers from Wiz realized the v1 tag was compromised.

The scope of the reviewdog/action-setup/v1 incident is believed to be much smaller than the tj-actions/changed file compromise, according to a spokesperson for Wiz. The reviewdog/action-setup/v1 incident only lasted about two hours and affected about 1,500 repositories, compared with about 22 hours and 14,000 repositories in the larger attack. 

GitHub provided guidance for users to determine whether they have been compromised and to add hardening measures to prevent such an attack in the future. 

Organizations should review workflows done between March 14-15 and revoke and rotate secrets if any sensitive information was disclosed.  

Researchers from Palo Alto Networks said that for long-term security, organizations should implement strict pipeline-based access controls


Source link