Over 23,000 organizations unwittingly had their secrets exposed over the weekend after threat actors managed to compromise a popular GitHub Action.
GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform designed to streamline the building, testing and deployment of code.
On Friday, security researchers spotted that the source code of the popular tj-actions/changed-files GitHub Action had been tampered with.
“In this attack, the attackers modified the action’s code and retroactively updated multiple version tags to reference the malicious commit. The compromised Action prints CI/CD secrets in GitHub Actions build logs,” explained StepSecurity.
“If the workflow logs are publicly accessible (such as in public repositories), anyone could potentially read these logs and obtain exposed secrets. There is no evidence that the leaked secrets were exfiltrated to any remote network destination.”
Read more on supply chain attacks: GitHub Bug Exposed Repositories to Hijacking
The incident has been given an official CVE number: CVE-2025-30066. All versions of the Action were impacted, but GitHub has now removed it, so users will have to find alternative implementations.
“The attacker was likely not looking for secrets in public repositories – they are already public. They were likely looking to compromise the software supply chain for other open source libraries, binaries, and artifacts created with this. Any public repository that creates packages or containers as part of a CI pipeline could have been impacted. That means potentially thousands of open source packages have the potential to have been compromised,” wrote Endor Labs.
“This can also apply to enterprise organizations that have both private and public repositories. If these repositories share CI/CD pipeline secrets for artifact or container registries these registries can be potentially compromised.”
The security vendor said it had no evidence at the time of writing that any downstream open source libraries or containers had been impacted, but called on maintainers and security researchers to watch closely for secondary compromises.
Image credit: Michael Vi / Shutterstock.com