On March 14, 2025, StepSecurity uncovered a compromise in the popular GitHub Action tj-actions/changed-files. Tens of thousands of repositories use this action to track file changes, and it is now known to have been tampered with, posing a risk to both public and private projects. A CVE has been created for this issue: CVE-2025-30066.
What Happened?
- Compromise Date:
- The attack was carried out on March 12, 2025.
- Affected Component:
- A malicious commit was introduced into the tj-actions/changed-files repository that affects the Action functionality. The repository is currently unavailable.
- Malicious Activity:
- The attacker injected a Node.js function containing base64-encoded instructions. These instructions download Python code designed to scan the memory of the GitHub Runner for credentials.
- In this instance, the stolen data was simply printed in the GitHub Action build logs. In another variation of the code (within the Flank project), the data was exfiltrated via a POST request to a GitHub Gist.
How the Attack Works
- Injection of Malicious Code:
- A Node.js function with base64-encoded payloads is inserted into the action.
- Downloading a Payload:
- The base64 payload decodes to reveal a script that downloads additional Python code from a Github gist.
- Memory Scanning:
- The Python script identifies the GitHub Runner’s process (specifically the “Runner.worker” process), opens its memory mappings, and searches for sensitive credentials using regular expressions.
- Exfiltration of Data:
- The results are output and stored within the GitHub Action build logs. The attackers must have access to these logs in order to extract the secrets.
Who Is Affected?
- Public Repositories:
- Projects that used the compromised version of tj-actions/changed-files between March 12, 2025, 00:00 and March 15, 2025, 12:00 UTC are at high risk. In these cases, sensitive credentials may have been exposed via public logs.
- Private Repositories:
- Although the exposure risk is slightly lower, any private repository using the affected action should treat its secrets as potentially compromised.
How to Detect and Mitigate the Attack
Detection with Cloud Detection & Response
Tools like Falco and Sysdig Secure are effective for detecting the attack during its execution.
- Runtime Monitoring:
- Sysdig Secure provides out-of-the-box detection for memory scanning activities, such as its “Dump Memory using /proc/ Filesystem” rule in the Sysdig Runtime Behavioral Analysis policy.
- Falco Detection Rule:
Use the below rule to actively detect base64-encoded data piped from commands like curl or wget to base64 for decoding:
- rule: Inline Base64 Execution by Wget/Curl
desc: This rule detects base64 being used with piped input. This may indicate an attacker decoding a malicious payload.
condition: >
spawned_process and proc.name=base64 and proc.stdin.type=pipe and proc.pgid.name in (wget, curl)
output: >
Base64 executed with stdin piped with parent %proc.pname on %container.name under user %user.name (proc.name=%proc.name proc.exepath=%proc.exepath proc.pname=%proc.pname proc.pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] image=%container.image.repository user.name=%user.name user.loginuid=%user.loginuid proc.cmdline=%proc.cmdline fd.name=%fd.name container.id=%container.id evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.sid=%proc.sid user.uid=%user.uid user.loginname=%user.loginname group.gid=%group.gid group.name=%group.name container.name=%container.name)
priority: WARNINGCode language: YAML (yaml)Falco Actions Integration
Falco Actions is an open-source project that monitors your CI/CD workflows for potential threats in real time. It can detect suspicious activities such as unauthorized network connections or file access. Here’s how you can plug it into your GitHub Actions workflow.
jobs:
foo:
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
steps:
- name: Start Falco
uses: falcosecurity/falco-actions/start@<commit-sha>
with:
mode: live
falco-version: '0.39.0'
verbose: true
# ...
# Your steps here
# ...
- name: Stop Falco
uses: falcosecurity/falco-actions/stop@<commit-sha>
with:
mode: live
verbose: trueCode language: YAML (yaml)Mitigation of exposed secrets
In addition to detecting this malicious activity, it’s critical to implement a comprehensive remediation strategy to reduce the risk of exposed secrets. The following actions should be taken immediately:
- Identify affected repositories: Conduct an audit to locate all projects using all versions of tj-actions/changed-files in your organization.
- Remediate public repositories immediately: For public repos with workflows that ran between 2025-03-12 00:00 to 2025-03-15 12:00 UTC, rotate all secrets immediately as they should be considered compromised. Attackers are likely actively scanning for exposed secrets.
- Address private repositories: For private repos using the vulnerable action, rotate secrets at a lower priority than public repositories.
- Implement alternatives: Since GitHub has removed the vulnerable action and its not clear when the project will be available again you developer teams might require alternatives to maintain pipeline functionality.
Conclusion
The compromise of the tj-actions/changed-files GitHub Action highlights the growing risk of supply chain attacks in CI/CD environments. By understanding the mechanics of the attack, using runtime security controls or cloud detection and response tools like Falco and Sysdig Secure, and taking swift remediation steps, organizations can mitigate potential damage and safeguard their sensitive data.