Supply Chain Security Risk: GitHub Action tj-actions/changed-files Compromised

Supply Chain Security Risk: GitHub Action tj-actions/changed-files Compromised Background: Understanding tj-actions/changed-files Technical Details on GitHub Action tj-actions How to Check if You’re Impacted Immediate Next Steps How Aqua Security Helps CVE-2025-30066 On March 14th, 2025, security researchers discovered a critical software supply chain vulnerability in the widely-used GitHub Action tj-actions/changed-files ( CVE-2025-30066 ). This vulnerability allows remote attackers to expose CI/CD secrets via the action’s build logs. The issue affects users who rely on the tj-actions/changed-files action in GitHub workflows to track changed files within a pull request. tj-actions/changed-files tj-actions/changed-files Due to the compromised action, sensitive CI/CD secrets are being inadvertently logged in the GitHub Actions build logs. If these logs are publicly accessible, such as in public repositories, unauthorized users could access and retrieve the clear text secrets. However, there is no evidence suggesting that the exposed secrets were transmitted to any external network. The tj-actions/changed-files action is widely used in GitHub CI/CD workflows to efficiently detect file changes within pull requests, streamlining development processes by conditionally triggering actions based on modified files. With over 23,000 active repositories and more than 1 million monthly downloads, its widespread adoption makes this compromise particularly impactful, exposing numerous organizations to potential supply chain attacks. tj-actions/changed-files According to the initial report by StepSecurity this incident was first discovered at 4PM UTC on March 14th, 2025, and isolated by 10:30 AM UTC on March 15th, 2025. But, we still warmly advise to avoid using this action until this matter is fully resolved. Initial investigation implies on a malicious commit ( hash:0e58ed8671d6b60d0890c21b07f8835ace038e67 ), and a retroactive compromise of multiple versions, possibly all versions. hash:0e58ed8671d6b60d0890c21b07f8835ace038e67 The attackers introduced malicious JavaScript code directly into the dist/index.