Critical Security Incident involving GitHub Action tj-action/changed-files
Projects using the vulnerable action are at risk of exposed CI/CD secrets
Summary
Projects using the vulnerable action are at risk of exposed CI/CD secrets
Affected platforms
The following platforms are known to be affected:
Threat details
Active exfiltration of exposed credentials
The compromised GitHub Action is actively exfiltrating exposed credentials which may be used for a wide range of attacks. Affected organisations should refer to remediation steps below to immediately disable tj-actions and rotate all credentials contained in compromised repositories.
Additional compromise of reviewdog GitHub Actions identified
Analysis of the tj-actions incident had led researchers to discover another, preceding compromise of reviewdog/actions-* repositories that may have enabled the attack on tj-actions. Usage of the affected reviewdog GitHub Actions is limited, relative to tj-actions/changed-files, but organisations are advised to review their usage and remediate risk where affected.
Introduction
A critical security incident involving the tj-actions/changed-files GitHub Action has been reported. The changed-files action, which allows GitHub repositories to track file changes, has been tampered with to allow the exposure through GitHub Actions build logs of CI/CD secrets, including passwords, tokens, API keys, PII and other sensitive data that have been embedded within software code. Workflow logs that are made publicly accessible, such as those for public repositories, could allow attackers to obtain exposed secrets for further malicious actions.
The issue is tracked as a high-severity vulnerability under CVE-2025-30066.
Threat updates
| Date | Update |
|---|---|
| 20 Mar 2025 |
Additional compromise of reviewdog/actions-* identified.
Remediation advice has been updated. |
Remediation advice
Organisations should first determine whether or not they are affected using one of the following methods:
- search for 'tj-actions' in your code base
- search on GitHub for public repositories authored by your GitHub organisation that uses tj-actions using this search query: org:<YOUR-GITHUB-ORGANISATION> uses: tj-actions/
- usage of affected reviewdog GitHub Actions can be identified with this query: org:<YOUR-GITHUB-ORGANISATION> (reviewdog/action-setup@v1 OR reviewdog/action-shellcheck OR reviewdog/action-composite-template OR reviewdog/action-staticcheck OR reviewdog/action-ast-grep OR reviewdog/action-typos) AND secrets. language:yaml path:/^\.github\/workflows\//
Projects that used any version of tj-actions/changed-files prior to version 46 between 12 March 2025, 00:00 and 15 March 2025, 12:00 UTC are at high risk of exposed secrets, while reviewdog/action-* Actions run between 11 March 2025, 18:42 and 19 March 2025, 00:00 are considered high risk.
Once organisations have identified the affected projects, the following steps should be taken to remediate the risk:
- Stop using the affected tool immediately. Disable the affected GitHub Action by removing tj-actions or reviewdog from the allow-list following the steps outlined in GitHub's documentation.
- Rotate credentials contained in affected repositories. Consider all credentials in affected projects compromised, prioritising remediation in public repositories as the exposure risk is higher than in private projects.
- Finally, delete the affected logs following steps listed in GitHub's documentation
Additionally, organisations are encouraged to review the security advisory regarding by tj-actions and reviewdog respectively.
Definitive source of threat updates
Last edited: 20 March 2025 1:34 pm