Researchers studying cybersecurity are bringing attention to a recent incident where the popular GitHub Action tj-actions/changed-files was compromised to use the continuous integration and continuous delivery ( CI/CD ) workflow to leak secrets from repositories.
The GitHub Action, which is used in over 23, 000 libraries, was the subject of the event. It is used to maintain and get all directories and files that have changed.
The supply chain compromise has been given the CVE identifier ( CVSS score: 8.6). It is said that the event occurred just before March 14, 2025.
According to StepSecurity, the attackers in this attack modified the action’s code and posthumously updated several version tags to reflect the malignant commit. In the GitHub Actions build files, the damaged Action prints CI/CD secrets.
The outcome of this conduct is that, if the process logs be made public, they could cause the disclosure of sensitive information when the action is performed on the repositories.
Among others, there are AWS access keys, GitHub Personal Access Tokens ( PATs ), npm tokens, and private RSA keys. However, there is no proof that any attacker-controlled equipment was the source of the leaked information.
In particular, the is meant to execute a Python text that is hosted on a GitHub git and extracts the CI/CD strategies from the Runner Worker approach. It is said to have come from a supply script commit that isn’t verified. Since then, the GitHub idea has been removed.
The project maintainers claim that the unidentified threat actor( s ) behind the incident were able to compromise a bot using a compromised repository through a personal access token ( PAT ) that was used by @tj-actions-bot.
Following the discovery, the user’s login was updated, its authentication was upgraded to use a password, and its permissions levels were changed in a way that adheres to the principle of least privilege. Additionally, GitHub removed the compromised PAT.
The maintainers continued, adding that the Personal Access key affected was kept as a GitHub activity secret. No Touch would be used for all tasks in the tj-actions organization if it were to avoid reoccurrence, according to the statement.
Anyone who uses the GitHub Action is advised to update as quickly as possible to the most recent version ( 46.0.1 ). People are also advised to check for “unexpected result” under the changed-files part and examine all processes that were carried out between March 14 and March 15.
The advancement once more demonstrates how open-source software is particularly vulnerable to provide chain risks, which could have a significant impact on some downstream customers at once.
According to cloud security firm Wiz, as of March 15, 2025, all tj-actions/changed-files were discovered to be affected because the attacker managed to improve existing type keywords to make them all point to their malicious code.
Buyers who were using a hash-pinned type of tj-actions/changed-files would not be impacted, unless they had updated to an impacted weed during the oppression timeframe.