GitHub Action Vulnerability Exploited

Tech and Innovation
, , ,
1

Concise Summary:
A popular GitHub Action, tj-actions/changed-files, has been compromised by a supply chain attack. This action detects changes in pull requests and commits. The compromise allows attackers to steal sensitive information like access keys, GitHub PATs, npm tokens, and private RSA keys. CISA has added CVE-2025-30066 to its Known Exploited Vulnerabilities Catalog and urges users to patch their systems immediately by updating to v46.0.1. To strengthen security, organizations should implement mitigation recommendations from CISA and report any incidents to the 24/7 Operations Center at [email protected] or (888) 282-0870.

Key Points:

  • Here are five key points extracted from the content:.
    • A popular third-party GitHub Action, tj-actions/changed-files, was compromised, allowing for information disclosure of sensitive credentials.
    • This compromise allows attackers to gain access to valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys.
    • The vulnerability has been patched in version 46.0.1, but users should continue to follow security best practices and consider further mitigation strategies.
    • CISA has added CVE-2025-30066 to its Known Exploited Vulnerabilities Catalog for increased awareness and facilitates reporting of incidents.
    • Users are advised to implement recommendations from CISA to strengthen their security posture when using third-party GitHub Actions and report any suspicious activity.

Archive Links:
12ft: https://12ft.io/https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066
archive.org: https://web.archive.org/web/https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066
archive.is: https://archive.is/https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066
archive.today: https://archive.today/https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066

Original Link: https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066

User Message: Supply Chain Compromise of Third-Party GitHub Action, CVE-2025-30066 | CISA

For more on bypassing paywalls, see the post on bypassing methods