Tuesday a vulnerability to the Known Exploited Vulnerabilities (KEV ) catalog of the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) to its Known Exploited Vulnerabilities (KEV ) list.
The high-severity flaw is related to the GitHub Action’s breach, which enables a distant attacker to access sensitive information via actions files, and is tracked as ( CVSS score: 8.6).
A distant attacker can learn secrets by reading activities logs in the tj-actions/changed-files GitHub Action, according to CISA in an update.
” These secrets may include private RSA keys, GitHub personal access tokens ( PATs ), and valid AWS access keys,” the authors say.
The strike may have been a billowing supply chain assault, with unexplained threat actors first breaking into the reviewdog/action-setup@v1 GitHub Action to invade tj-actions/changed-files, according to cloud security company Wiz.
According to Wiz scientist Rami McCarthy,” tj-actions/eslint-changed-files uses reviewdog/action-setup@v1 and the tj-actions/changed-files store runs this tj-actions/eslint-changed-files Action with a Personal Access Token.” The reviewdog activity was compromised about in the same time frame as the TJ-actions Tickle compromise.
How this happened is still unclear at this time. However, it is said that the settlement took place on March 11, 2025. Before March 14, there was a time when the tj-actions/changed-files were breached.
This implies that any CI/CD workflows that use the sick reviewdog action, such as a Base64-encoded cargo that is appended to a file named place, can be used to insert malicious script into. used by the procedure.
The load is intended to reveal information from repository managers who run the procedure in logs, just like in the case of tj-actions. Only one tag (v1 ) of reviewdog/action-setup is affected by the issue.
The attackers ‘ release of a compromised Github Personal Access Token ( PAT ) that allowed them to modify the repository with unauthorized code, according to the maintainers of tj-actions.
We can confirm that the attacker had ample access to release the v1 label to the malicious code that was written on a fork of the repository, according to McCarthy.
The reviewdog Github Organization appears to be constantly adding donors through automated invites, despite having a comparatively big contributor base. This makes it more likely that a user’s exposure to have been compromised or that a source could have knowingly gained access to have been gained.
In order to protect their networks from active threats, affected users and federal agencies are advised to update to the most recent version of tj-actions/changed-files ( 46.0.1 ) by April 4, 2025. However, there is a chance of it happening again given the root cause.
It’s advised to check past procedures for suspicious activity, rotate any leaked strategies, and wire all GitHub Actions to certain committed hashes rather than type tags in addition to replacing the damaged actions with safer alternatives.