CVE-2025-30066

Name of the Vulnerable Software and Affected Versions tj-actions changed-files versions prior to 46.0.1

Description A supply chain compromise occurred in the tj-actions/changed-files GitHub Action, affecting over 23,000 repositories. A threat actor compromised a bot account and injected malicious code into the action by modifying version tags to point to a malicious commit 0e58ed8. The attack utilized a Node.js function containing a base64-encoded payload that downloaded and executed a Python script named memdump.py from an external Gist. This script targeted the Runner Worker process memory to extract sensitive CI/CD secrets, including AWS access keys, GitHub Personal Access Tokens (PATs), NPM tokens, and private RSA keys. The extracted data was double-encoded in base64 and printed into the GitHub Actions build logs, allowing remote attackers to discover these secrets by reading the logs, particularly in public repositories. The malicious code was disguised within a function named updateFeatures().

Recommendations Update tj-actions/changed-files to version 46.0.1. Rotate all secrets, including AWS keys, GitHub tokens, and RSA keys, that were used in workflows between March 12 and March 15, 2025. Review workflow logs from March 14 and March 15, 2025, for suspicious double-encoded base64 strings. Pin GitHub Actions to specific commit SHAs instead of using tags or branches to ensure only verified code is executed.