gitlab

GitHub Action tj-actions/changed-files was compromised, exposing CI/CD secrets in over 23,000 repositories. Attackers altered its code, allowing sensitive information such as AWS keys and GitHub PATs to be printed in build logs. The incident, assigned CVE-2025-30066 (CVSS 8.6), highlights supply chain risks in CI/CD environments. Users should update to the latest version (46.0.1) and review workflows from March 14-15 for any unexpected outputs. GitHub has revoked the compromised PAT and implemented stricter access controls to prevent future attacks.

https://thehackernews.com/2025/03/github-action-compromise-puts-cicd.html

GitLab released patch updates 17.7.1, 17.6.3, and 17.5.5 for Community and Enterprise Editions, addressing critical bug and security fixes. Users must upgrade immediately, while GitLab.com is already updated. Notably, new import features enhance user contribution mapping, addressing vulnerabilities discovered via HackerOne. Key security fixes involve access token exposure, DoS issues, and unauthorized status manipulation. Recommended actions include disabling importers temporarily until upgraded and promptly upgrading any affected version. Full details and updates available in GitLab’s documentation.

GitLab Patch Release: 17.7.1, 17.6.3, 17.5.5