reviewdog/action-setup
reviewdog/action-setup GitHub Action compromise leaks secrets
Attackers compromised a contributor's Personal Access Token (PAT), traced back to an earlier leak from the SpotBugs project, which granted write access. They maliciously updated the `v1` tag of the official `reviewdog/action-setup` GitHub Action to point to malicious code (`f0d342d`). For approximately 2 hours, workflows using `@v1` executed this code, which dumped secrets (like GITHUB_TOKEN) from the runner environment into publicly accessible workflow logs. This incident was a precursor, enabling the compromise of the `tj-actions/changed-files` action.
- Date
- 2025-03-11 to 2025-03-17
- Category
- Open Source
- Target Surface
- Revision control
- Insertion Phase
- CI/CD
- Impact
- Data Exfiltration
- Cause
- Compromised Account/Credentials
What Was Affected
Package
reviewdog/action-setup
LanguageShell
ComponentCI/CD plugin
Artifact typerevision control system
Domain typecode host
Domain
github.com
Compromised Versions
- v1
Incident Context
- Motive
- Credential Theft
- Attribution
- Individual Hacker
- Transitive
- No
- User Impact
- 1500
- Observed Duration
- 6 days
Evidence
Compromised Artifacts
- github.com/reviewdog/action-setup/tree/f0d342d24037bb11d26b9bd8496e0808ba32e9ec
- github.com/reviewdog/action-setup/tree/v1
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha1:f0d342d24037bb11d26b9bd8496e0808ba32e9ec
Commits
f0d342d24037bb11d26b9bd8496e0808ba32e9ec
External References
- github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc
- nvd.nist.gov/vuln/detail/CVE-2025-30154
- cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction
- nvd.nist.gov/vuln/detail/CVE-2025-30066
- github.com/reviewdog/reviewdog/issues/2079
Source Data
Source record: oss/reviewdog_action-setup/meta.yaml