tj-actions/changed-files leaked CI secrets
Part of the reviewdog and tj-actions leaked CI secrets campaign
Attackers used a token stolen through the reviewdog/action-setup compromise to rewrite tj-actions/changed-files tags to a malicious commit.
Story
On March 14, 2025, an attacker rewrote every version tag on tj-actions/changed-files, a GitHub Action used by more than 23,000 repositories, redirecting them to a single commit that dumped CI secrets into public workflow logs. The move turned a routine helper into one of the largest CI/CD credential-exposure events on record.
The action does one mundane thing: it tells a workflow which files changed in a given commit or pull request. That made it ubiquitous in CI pipelines, and most consumers pinned it by tag rather than by an immutable commit SHA. When the tag moved, the malicious code shipped on the next run.
The malicious commit, 0e58ed8671d6b60d0890c21b07f8835ace038e67, embedded a base64-encoded shell script that fetched memdump.py from a GitHub Gist, ran it against the GitHub Actions Runner.Worker process, scanned process memory for values flagged as secrets, and printed each one to the workflow log as double-encoded base64. No external command-and-control server was needed for the broad campaign; the log itself was the exfiltration channel, and any reader of a public workflow run could harvest the result.
Researchers at Wiz, StepSecurity, and Palo Alto Networks' Unit 42 tied the incident to the earlier reviewdog/action-setup compromise three days prior. According to Unit 42, the operation began as a targeted attack on Coinbase: a token recovered from a reviewdog-poisoned workflow gave the attacker write access to tj-actions/changed-files, and once Coinbase removed the vulnerable workflow, the attacker repointed all changed-files tags to the malicious commit, broadening the impact to every downstream consumer.
Wiz reported AWS access keys, GitHub Personal Access Tokens, npm tokens, private RSA keys, and other credentials exposed in affected public repositories. CISA issued an alert on March 18 cataloging the chain as CVE-2025-30066 and CVE-2025-30154. The Register, citing StepSecurity, put the population of dependent repositories at more than 23,000; how many actually executed the malicious commit during the exposure window remains unclear.
Affected Artifacts
- Observed
- 2025-03-14 to 2025-03-15
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Evidence
- distribution: github.com/tj-actions/changed-files/tree/0e58ed8671d6b60d0890c21b07f8835ace038e67, distribution: github.com/tj-actions/changed-files/archive/0e58ed8671d6b60d0890c21b07f8835ace038e67.zip, mirror: wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066, mirror: stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised , +9 more
- The Register and StepSecurity reported more than 23,000 repositories used tj-actions/changed-files; this is exposure count, not a confirmed victim count.
- Wiz reported dozens of public repositories with exposed secrets, including large enterprise repositories.
Incident Context
- Motive
- Credential Theft
- Cause
- Compromised Account Credentials
- Transitive
- No
- User Impact
- 23000
External References
- CVE-2025-30066nvd.nist.gov
- MITRE CVE-2025-30066cve.mitre.org
- Supply Chain Compromise of tj-actions/changed-files and reviewdog/action-setupcisa.gov
- GitHub Action tj-actions/changed-files supply chain attackwiz.io
- Harden-Runner detection - tj-actions/changed-files Action is compromisedstepsecurity.io
- tj-actions/changed-files issue reporting malicious changed-files commitgithub.com
- GitHub supply chain attack spills secrets from 23,000 projectstheregister.com
- GitHub Actions Supply Chain Attackunit42.paloaltonetworks.com
Source record: oss/attacks/tj-actions_changed-files/meta.yaml