reviewdog/action-setup leaked GitHub Actions secrets
Part of the reviewdog and tj-actions leaked CI secrets campaign
Attackers compromised a contributor's Personal Access Token (PAT), traced back to an earlier leak from the SpotBugs project, which granted write access.
Story
On March 11, 2025, an attacker quietly re-pointed the v1 tag on reviewdog/action-setup, a widely used GitHub Action, to a commit that printed CI secrets into workflow logs. The move was the opening play in a chain that, three days later, would expose secrets across more than 23,000 repositories using tj-actions/changed-files.
Reviewdog is a popular open-source code-review automation tool, and action-setup is the GitHub Action that installs it inside a workflow. Because most consumers pinned the action by tag rather than by an immutable commit SHA, the moved tag silently shipped attacker-controlled code on the next run.
Researchers at Wiz, StepSecurity, and Palo Alto Networks' Unit 42 traced the initial access to a Personal Access Token that had been leaked through an earlier compromise of the SpotBugs project. The token carried write access to the reviewdog repository, which the attacker used to swap the tag to commits including f0d342d24037bb11d26b9bd8496e0808ba32e9ec. The malicious action wrote secrets from the runner into the workflow log in a recoverable form, where any reader of a public log could harvest them.
The exposure that mattered most was not the credentials of reviewdog users directly, but a token reachable from those logs that carried write access to tj-actions/changed-files. CISA, Wiz, StepSecurity, and Unit 42 all described the two incidents as a single chain: reviewdog supplied the pivot, and tj-actions (tracked separately as [[tj-actions-changed-files]]) delivered the broad blast radius.
Affected Artifacts
- Observed
- 2025-03-11 to 2025-03-17
- Compromised Versions
- Fixed
- Not listed
- Hashes
-
- sha1:f0d342d24037bb11d26b9bd8496e0808ba32e9ec
- Evidence
- distribution: github.com/reviewdog/action-setup/tree/f0d342d24037bb11d26b9bd8496e0808ba32e9ec, distribution: github.com/reviewdog/action-setup/tree/v1, mirror: wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup, mirror: stepsecurity.io/blog/reviewdog-github-actions-are-compromised , +6 more
Incident Context
- Motive
- Credential Theft
- Cause
- Compromised Account Credentials
- Transitive
- No
- User Impact
- 1500
External References
- reviewdog/action-setup security advisory GHSA-qmg3-hpqr-gqvcgithub.com
- CVE-2025-30154nvd.nist.gov
- Supply Chain Compromise of tj-actions/changed-files and reviewdog/action-setupcisa.gov
- CVE-2025-30066nvd.nist.gov
- New GitHub Action supply chain attack reviewdog/action-setupwiz.io
- reviewdog GitHub Actions are compromisedstepsecurity.io
- reviewdog issue 2079github.com
- GitHub Actions Supply Chain Attackunit42.paloaltonetworks.com
Source record: oss/attacks/reviewdog_action-setup/meta.yaml