GitHub Actions supply chain attack: tj-actions/changed-files and reviewdog/action-setup

Secrets leaked via compromised CI components
GitHub Actions, CI/CD, Supply chain compromise, Secrets exposure, DevSecOps, CVE-2025-30066, CVE-2025-30154, tj-actions, reviewdog, Software supply chain security

1. Executive Summary

A supply chain compromise impacted widely used third-party GitHub Actions, most notably tj-actions/changed-files, causing CI/CD secrets to be exposed via GitHub Actions workflow logs. The incident is tracked as CVE-2025-30066 and was addressed in the GitHub Advisory Database, with remediation released as tj-actions/changed-files v46.0.1. (GitHub)

Follow-on analysis and disclosures linked the tj-actions/changed-files compromise to a separate compromise of reviewdog/action-setup@v1, tracked as CVE-2025-30154, suggesting a chained supply chain intrusion that enabled the attacker to obtain credentials used to tamper with downstream projects. Both CVEs were subsequently reflected as Known Exploited Vulnerabilities by CISA via NVD change history and advisory metadata. (nvd.nist.gov)

While early reporting emphasised that tj-actions/changed-files was used by over 23,000 repositories, later impact analysis indicated that the subset of repositories that actually executed affected workflows during the exposure window and printed secrets was materially smaller, though still operationally significant for affected organisations. (GitHub)

2. Contextual Background

2.1 Nature of the threat

CVE-2025-30066 (tj-actions/changed-files)

Vendor advisory: GitHub Advisory for CVE-2025-30066 (GHSA-mrrh-fwg8-r2c3)
NVD

GitHub’s advisory states that attackers retroactively moved multiple version tags to a malicious commit, resulting in secrets being printed into workflow logs during 14–15 March 2025, and that the issue was patched in 46.0.1. (GitHub)

CVE-2025-30154 (reviewdog/action-setup@v1 and dependent actions)

Vendor advisory: GitHub Advisory for CVE-2025-30154 (GHSA-qmg3-hpqr-gqvc)
NVD

The reviewdog incident is described as a time-bounded compromise of the v1 tag (11 March 2025, 18:42–20:31 UTC) that could affect multiple reviewdog actions that depended on action-setup@v1. (GitHub)

2.2 Threat-actor attribution (if any)

No public, reputable source has attributed these compromises to a named threat actor cluster. Analysis from Unit 42’s incident assessment and Wiz Research indicates a chained intrusion and presents investigative leads (including an asserted focus on a high-value target), but stops short of a definitive actor identity. Confidence: Possible (unattributed; single-actor chain is assessed by multiple researchers, but no formal attribution). (Unit 42)

2.3 Sector and geographic targeting

At a baseline, any organisation using GitHub Actions with third-party actions was exposed to risk, with public repositories at heightened exposure because workflow logs may be broadly accessible. (GitHub)

Wiz and Unit 42 both discuss indicators consistent with targeted activity against coinbase/agentkit as part of the broader campaign narrative. This suggests at least some crypto/financial services adjacency, though the broader compromise mechanism remained opportunistic in blast radius due to ubiquitous action reuse. (Unit 42)

3. Technical Analysis

3.1 Vulnerabilities and TTPs (MITRE ATT&CK mapped)

The tj-actions/changed-files incident involved attacker-controlled code being executed within CI runners, followed by collection of sensitive material from runner memory and exposure of that material through workflow logs. The GitHub Advisory Database describes a malicious commit and mass tag retargeting that caused previously “trusted” version references to resolve to attacker content. (GitHub)

The reviewdog incident similarly describes malicious code introduced for a defined period, and both Wiz and reviewdog’s maintainer communications highlight how organisational contributor models and tag mutability can become an attack surface for CI/CD supply chain compromise. (GitHub)

Key ATT&CK techniques observed or strongly implied by reporting:

Supply chain compromise: T1195.002
Shell execution in CI: T1059.004
Python execution (payload execution/collection tooling): T1059.006
Downloading tooling into runner environment: T1105
Obfuscation via Base64 and encoded blobs: T1027.010
Collection from local system sources including process memory: T1005
Credential material targeted (tokens/keys, potentially private keys): T1552 and T1552.004

3.2 Exploitation status and PoC availability

Actively exploited: NVD change history reflects CISA KEV updates for both CVEs (CVE-2025-30066 added 18 March 2025; CVE-2025-30154 added 24 March 2025). Additionally, national-level advisories echoed KEV inclusion. (nvd.nist.gov)

PoC / reproduction: Public advisories include sufficient detail to reproduce the behaviour (malicious commit references, timelines, and log artefact patterns). This report avoids restating exploitation instructions; defenders should reference the vendor advisories directly for authoritative artefacts and remediation steps. (GitHub)

4. Impact Assessment

4.1 Severity and scope

CVE-2025-30066: CVSS v3.1 base score 8.6 (High) on NVD; GitHub’s advisory includes an EPSS value of 86.602% (99th percentile) at the time of publication.
- GitHub Advisory for CVE-2025-30066 and NVD (GitHub)
CVE-2025-30154: CVSS v3.1 base score 8.6 (High) (CNA: GitHub).
- GitHub Advisory for CVE-2025-30154 and NVD (nvd.nist.gov)

For tj-actions/changed-files, Endor Labs’ analysis identified 5,416 repositories referencing the action in workflow definitions, 614 executing impacted workflows during a defined 24-hour analysis window, and 218 that printed secrets to logs. While many leaked tokens were short-lived GitHub install access tokens, Endor also observed some longer-lived third-party credentials (e.g., DockerHub/npm/AWS) in a smaller subset. (endorlabs.com)

4.2 Victim profile

Organisations using GitHub Actions and third-party actions without immutable pinning were most exposed.
Public repositories with publicly accessible logs had the highest probability of broad credential disclosure. (GitHub)

5. Indicators of Compromise (IOCs)

5.1 IOC table

Note: Network indicators are defanged (e.g., hxxps, [.]) to reduce accidental activation.

Type	Value	Context/Notes	Source
Commit SHA	`0e58ed8671d6b60d0890c21b07f8835ace038e67`	`tj-actions/changed-files` malicious commit referenced in GitHub advisory IoCs	GitHub Advisory for CVE-2025-30066 (GitHub)
Tag pattern	`v1.0.0` .. `v45.0.7` retargeted	Retroactively updated tags were moved to the malicious commit	GitHub Advisory for CVE-2025-30066 (GitHub)
Domain	`gist[.]githubusercontent[.]com`	Reported outbound retrieval location used in the malicious chain	GitHub Advisory for CVE-2025-30066 (GitHub)
URL (defanged)	`hxxps://gist[.]githubusercontent[.]com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py`	Referenced as the retrieved Python artefact in the advisory	GitHub Advisory for CVE-2025-30066 (GitHub)
Code keyword	`updateFeatures`	Function name referenced in NVD description as part of malicious logic	NVD (nvd.nist.gov)
Commit SHA	`f0d342d24037bb11d26b9bd8496e0808ba32e9ec`	`reviewdog/action-setup` malicious commit per GitHub advisory	GitHub Advisory for CVE-2025-30154 (GitHub)
Commit SHA	`3f401fe1d58fe77e10d665ab713057375e39b887`	Patch / retag fix reference in NVD	NVD (nvd.nist.gov)
File name	`install.sh`	Wiz reports payload inserted into `install.sh` for reviewdog chain	Wiz analysis of reviewdog compromise (wiz.io)
Suspicious SHA (targeted chain)	`6e6023c01918b353229af0881232f601a4cc8365`	Unit 42 describes this as a referenced SHA in targeted Coinbase-related activity	Unit 42 incident assessment (Unit 42)

5.2 Detection guidance

Log review (high-signal):

Review workflow runs executed during the exposure windows noted in the advisories:
- tj-actions/changed-files: 14–15 March 2025 (per GitHub advisory). (GitHub)
- reviewdog/action-setup@v1: 11 March 2025, 18:42–20:31 UTC (per GitHub/NVD). (nvd.nist.gov)
Hunt for unusually long, encoded blobs in the relevant action step output, especially patterns consistent with “double Base64” encoding described by researchers. (wiz.io)

Network telemetry (runner-side):

StepSecurity reports detecting anomalous outbound network calls associated with the incident and recommends runtime monitoring approaches for GitHub-hosted runners. Consider alerting on unexpected egress from workflows to code-hosting endpoints not required by the pipeline. (stepsecurity.io)

Query ideas (SIEM/EDR/CI telemetry):

Match workflow log lines containing:
- updateFeatures
- references to memdump.py (defanged handling recommended)
- base64-like character distributions in unusually long single-line output
Correlate with workflow jobs that had elevated permissions (write-all or broad token scopes) where possible, as Unit 42 highlights the risk of high-privilege workflow contexts in targeted scenarios. (Unit 42)

6. Incident Response Guidance

6.1 Containment, eradication, recovery

Containment
- Temporarily disable affected workflows (or GitHub Actions entirely for high-risk repos) until triage is complete: see GitHub Docs on disabling or limiting GitHub Actions. (GitHub Docs)
- Enforce an actions allow policy, restricting execution to approved actions and versions: see GitHub Docs on managing Actions settings for a repository. (GitHub Docs)
Eradication
- Update workflows to patched versions:
  - tj-actions/changed-files to 46.0.1+. (GitHub)
- For reviewdog ecosystem actions, ensure you are on releases at or above the maintainer’s “affected below” thresholds (e.g., action-shellcheck < v1.29.2, etc.) as listed in the maintainer incident issue. (GitHub)
Recovery
- Rotate secrets that may have been present in the runner environment during exposure windows:
  - GitHub tokens (PATs, fine-grained PATs, GitHub App credentials)
  - Cloud credentials (AWS, Azure, GCP)
  - Package registry credentials (npm, DockerHub, etc.)
    Endor Labs’ findings highlight that while many leaked tokens were short-lived, some higher-impact third-party credentials were also observed. (endorlabs.com)
- Consider deleting workflow logs after preserving forensic copies, per GitHub Docs on using workflow run logs. (GitHub Docs)

6.2 Forensic artefacts to collect

Workflow run logs (prior to deletion) for the relevant windows. (GitHub Docs)
GitHub audit log events (org/repo) for:
- changes to workflows, permissions, secrets, environments
- unexpected runner behaviour or new maintainers
Package publish logs (npm, DockerHub, container registries) if any registry tokens were exposed.

6.3 Lessons learned

Mutable tags are a strategic risk in CI dependencies. Where feasible, move to immutable commit SHA pinning and governance controls for third-party actions usage. (GitHub Docs)

7. Threat Intelligence Contextualisation

7.1 Comparisons to similar incidents

This incident aligns with a broader pattern of CI/CD and developer ecosystem compromises where adversaries target high-trust automation components to achieve downstream reach. The chained compromise aspect (reviewdog ➝ tj-actions, per researcher reporting) is a textbook demonstration of how upstream CI dependencies can become credential and token harvesting vectors. (Unit 42)

7.2 Full MITRE ATT&CK mapping

Tactic	Technique ID	Technique Name	Observed behaviour
Initial Access	T1195.002	Compromise Software Supply Chain	Third-party GitHub Actions tags/refs manipulated to execute attacker code in downstream workflows
Execution	T1059.004	Unix Shell	Runner executed shell logic within action steps (reported in multiple analyses)
Execution	T1059.006	Python	Python-based logic used to process/collect sensitive artefacts from runner environment
Command and Control / Transfer	T1105	Ingress Tool Transfer	Retrieval of external content into the runner (e.g., code-hosting endpoints)
Defence Evasion	T1027.010	Command Obfuscation	Encoding/obfuscation patterns (Base64) used to reduce immediate readability in logs
Collection	T1005	Data from Local System	Sensitive material collected from local system sources, including process memory
Credential Access	T1552	Unsecured Credentials	Targeted harvesting of secrets/tokens present in workflow runtime context
Credential Access	T1552.004	Private Keys	Reporting notes potential exposure classes including private keys in CI contexts

8. Mitigation Recommendations

8.1 Hardening steps

Pin third-party actions to immutable SHAs and review pinning policy regularly:
- See GitHub secure use guidance. (GitHub Docs)
Restrict GITHUB_TOKEN defaults to least privilege:
- See GitHub org-level workflow permissions guidance. (GitHub Docs)
Enforce allow policies (allow-listing) for actions and reusable workflows:
- See GitHub repo-level actions policy controls. (GitHub Docs)
Prefer OIDC-based short-lived cloud auth over long-lived static secrets where possible (reduces the value of log exposure and runner compromise).

8.2 Patch management and prioritisation

Prioritise remediation for:

Public repositories with Actions enabled and historical workflow logs accessible.
Repositories that executed affected workflows within exposure windows.
Pipelines that use long-lived registry/cloud credentials.

Patch guidance:

tj-actions/changed-files: update to 46.0.1+ and re-validate workflow references. (GitHub)
reviewdog actions: update beyond the maintainer’s affected thresholds and validate reviewdog/action-setup lineage. (GitHub)

9. Historical Context & Related Vulnerabilities

9.1 Previously reported issues in the same ecosystem

Semgrep notes that tj-actions/changed-files had prior security history, referencing CVE-2023-51664 as an earlier vulnerability related to the project. Treat this as a signal to apply stronger dependency governance around CI components, including periodic reviews of critical actions. (semgrep.dev)

9.2 Related coverage and background reading

Endor Labs blast radius analysis (impact quantification and secret types) (endorlabs.com)
Unit 42 incident assessment (chained compromise narrative and targeted leads) (Unit 42)
Wiz analysis of tj-actions compromise (log exposure behaviour and caching concerns) (wiz.io)

10. Future Outlook

10.1 Emerging trends

Expect continued focus on CI/CD ecosystems as high-leverage targets. This incident reinforces that developer workflow components are effectively “software dependencies”, and should be treated with equivalent governance: provenance, immutability, least privilege, and continuous monitoring. (GitHub Docs)

10.2 Likely evolution

Increased attacker use of time-bounded tag compromise and fast reversion to reduce dwell time and visibility (noted in reviewdog reporting). (wiz.io)
More campaigns that begin as spear-targeting (high-value repos) but expand opportunistically once control is achieved (as assessed by Unit 42 and Wiz). (Unit 42)