CISA Warns of Supply-Chain Attack Targeting Widely-Used GitHub Action Vulnerability
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
CISA warns of a critical vulnerability affecting the popular GitHub Action “tj-actions/changed-files” to its Known Exploited Vulnerabilities Catalog.
The supply chain attack, tracked as CVE-2025-30066 with a CVSS score of 8.6, potentially exposed sensitive CI/CD secrets from over 23,000 repositories that utilize this widely adopted automation tool.
Security researchers at StepSecurity first detected the compromise on March 14, 2025, after observing suspicious activity in the GitHub Action’s repository.
Attackers had compromised a GitHub personal access token (PAT) used by a bot (@tj-actions-bot) with privileged access to the repository.
They subsequently injected malicious code into the Action and retroactively updated multiple version tags to reference the compromised commit.
GitHub Supply-Chain Attack
“The compromised action injected malicious code into any CI workflows using it, dumping the CI runner memory containing the workflow secrets,” explained security firm Wiz in their analysis.
The secrets would then be exposed to everyone as part of the workflow logs in public repositories but obfuscated as a double-encoded base64 payload.
The attack targeted the “tj-actions/changed-files” GitHub Action, which is intended to detect files modified in pull requests or commits.
The vulnerability allowed attackers to extract sensitive information, including API tokens, GitHub PATs, npm tokens, and private RSA keys from workflow logs.
The malicious activity began around March 14, 2025, and GitHub took swift action by removing the compromised Action on March 15. The repository was later restored with the malicious code removed.
Risk Factors Details Affected Products-tj-actions/changed-files (all versions through v45.0.7)- tj-actions/eslint-changed-filesImpactInformation disclosure of secrets in GitHub Actions logsExploit PrerequisitesRemote access to GitHub Actions logsCVSS 3.1 Score8.6 (High)
Patch Released
A patched version (v46.0.1) has been released to address the vulnerability.
“CISA has urged Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by April 8, 2025, in light of active exploitation,” according to security reports.
CISA strongly recommends organizations take immediate action to mitigate the risk, including:
Security experts emphasize that pinning to specific commit hashes is the most effective way to prevent similar supply chain attacks.
This incident serves as a critical reminder of the importance of implementing robust security practices when utilizing third-party code in CI/CD pipelines, especially as supply chain attacks continue to target trusted development tools.
#Cyber_Attack_Article #Cyber_Security #Cyber_Security_News #GitHub #Vulnerability
Оригинальная версия на сайте:
CISA Warns of Supply-Chain Attack Targeting Widely-Used GitHub Action Vulnerability
Author: KaaviyaCISA warns of a critical vulnerability affecting the popular GitHub Action “tj-actions/changed-files” to its Known Exploited Vulnerabilities Catalog.
The supply chain attack, tracked as CVE-2025-30066 with a CVSS score of 8.6, potentially exposed sensitive CI/CD secrets from over 23,000 repositories that utilize this widely adopted automation tool.
Security researchers at StepSecurity first detected the compromise on March 14, 2025, after observing suspicious activity in the GitHub Action’s repository.
Attackers had compromised a GitHub personal access token (PAT) used by a bot (@tj-actions-bot) with privileged access to the repository.
They subsequently injected malicious code into the Action and retroactively updated multiple version tags to reference the compromised commit.
GitHub Supply-Chain Attack
“The compromised action injected malicious code into any CI workflows using it, dumping the CI runner memory containing the workflow secrets,” explained security firm Wiz in their analysis.
The secrets would then be exposed to everyone as part of the workflow logs in public repositories but obfuscated as a double-encoded base64 payload.
The attack targeted the “tj-actions/changed-files” GitHub Action, which is intended to detect files modified in pull requests or commits.
The vulnerability allowed attackers to extract sensitive information, including API tokens, GitHub PATs, npm tokens, and private RSA keys from workflow logs.
The malicious activity began around March 14, 2025, and GitHub took swift action by removing the compromised Action on March 15. The repository was later restored with the malicious code removed.
Risk Factors Details Affected Products-tj-actions/changed-files (all versions through v45.0.7)- tj-actions/eslint-changed-filesImpactInformation disclosure of secrets in GitHub Actions logsExploit PrerequisitesRemote access to GitHub Actions logsCVSS 3.1 Score8.6 (High)
Patch Released
A patched version (v46.0.1) has been released to address the vulnerability.
“CISA has urged Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by April 8, 2025, in light of active exploitation,” according to security reports.
CISA strongly recommends organizations take immediate action to mitigate the risk, including:
- Rotating all secrets used during the attack time frame (March 14-15, 2025).
- Reviewing workflows for unexpected output under the ‘changed-files’ section.
- Updating any workflows that reference the compromised commit by SHA.
- Switching to pinned commit hashes rather than version tags explicitly.
Security experts emphasize that pinning to specific commit hashes is the most effective way to prevent similar supply chain attacks.
This incident serves as a critical reminder of the importance of implementing robust security practices when utilizing third-party code in CI/CD pipelines, especially as supply chain attacks continue to target trusted development tools.
#Cyber_Attack_Article #Cyber_Security #Cyber_Security_News #GitHub #Vulnerability
Оригинальная версия на сайте:
