GitHub Action tj-actions/changed-files was compromised, exposing CI/CD secrets in over 23,000 repositories. Attackers altered its code, allowing sensitive information such as AWS keys and GitHub PATs to be printed in build logs. The incident, assigned CVE-2025-30066 (CVSS 8.6), highlights supply chain risks in CI/CD environments. Users should update to the latest version (46.0.1) and review workflows from March 14-15 for any unexpected outputs. GitHub has revoked the compromised PAT and implemented stricter access controls to prevent future attacks.
https://thehackernews.com/2025/03/github-action-compromise-puts-cicd.html