Ethical Hacking News
A recent security incident in GitHub Actions has exposed 218 repositories to malicious attacks, highlighting the potential risks associated with supply chain vulnerabilities. The vulnerability was exploited by an attacker who compromised the "tj-actions/changed-files" GitHub Action and used it to leak sensitive secrets from affected repositories. This incident underscores the importance of securing CI/CD tools against supply chain vulnerabilities and taking proactive measures to detect and respond to attacks.
A recent security incident highlighted the potential risks associated with supply chain vulnerabilities in GitHub Actions, a popular CI/CD tool. The vulnerability, CVE-2025-30066, was exploited by an attacker who compromised the "tj-actions/changed-files" GitHub Action and used it to leak sensitive secrets from repositories that ran the workflow. The attack resulted in the exposure of 218 GitHub repositories, but the actual effect is smaller than initially reported. Security researchers emphasize the importance of securing GitHub Actions and other CI/CD tools against supply chain vulnerabilities. The attack highlights the tactics, techniques, and procedures (TTPs) of attackers who exploit supply chain vulnerabilities, including leveraging dangling commits and obfuscating activities in workflow logs. The compromise of another GitHub Action called "reviewdog/action-setup" has been discovered, highlighting the need for better threat intelligence and proactive security measures to detect and respond to such attacks.
A recent security incident highlighted the potential risks associated with supply chain vulnerabilities in GitHub Actions, a popular CI/CD tool used by developers worldwide. The vulnerability, identified as CVE-2025-30066, was discovered after an attacker compromised the "tj-actions/changed-files" GitHub Action and used it to leak sensitive secrets from repositories that ran the workflow.
According to Palo Alto Networks Unit 42, the attack started with a highly targeted attack against one of Coinbase's open-source projects, specifically the agentkit repository. The attacker exploited the public CI/CD flow of the repository by injecting code into the "tj-actions/changed-files" GitHub Action, which leaked sensitive secrets from repositories that ran the workflow. This was done by modifying the "changelog.yml" file in the agentkit repository using a fork pull request to point to a malicious version of "tj-actions/changed-files".
The attack resulted in the exposure of 218 GitHub repositories, with most of them leaking short-lived GITHUB_TOKENs that expired once the workflow run was completed. However, this finding contradicts initial reports suggesting a larger impact. The actual effect of the vulnerability is smaller than anticipated, according to security researcher Henrik Plate.
Despite the relatively small scale of the attack, it has highlighted the importance of securing GitHub Actions and other CI/CD tools against supply chain vulnerabilities. This includes reviewing GitHub Actions or any other package used in code before updating to new versions. Additionally, taking measures to protect against malicious attacks, such as monitoring workflow logs and using techniques like dangling commits to conceal tracks.
The attack also sheds light on the tactics, techniques, and procedures (TTPs) of attackers who exploit supply chain vulnerabilities. In this case, the attacker used various techniques, including leveraging dangling commits, creating multiple temporary GitHub user accounts, and obfuscating their activities in workflow logs. This suggests that the attacker is highly skilled and has a deep understanding of CI/CD security threats and attack tactics.
Furthermore, the breach of another GitHub Action called "reviewdog/action-setup" has been discovered, which "tj-actions/changed-files" relies on as a dependency via "tj-actions/eslint-changed-files". The exploitation of CVE-2025-30154, being tracked as a similar payload to the tj-actions incident, enabled the attacker to obtain a personal access token (PAT) associated with "tj-actions/changed-files", thereby allowing them to modify the repository and push malicious code.
The compromise of GitHub Actions highlights the importance of maintaining up-to-date dependencies, monitoring workflow logs, and taking measures to protect against supply chain vulnerabilities. It also underscores the need for better threat intelligence and proactive security measures to detect and respond to such attacks in a timely manner.
In addition, this incident raises questions about how an attacker was able to gain access to a token with write access to the reviewdog organization. The exact manner in which this token may have been acquired remains unknown at this stage, highlighting the need for further investigation into this aspect of the attack.
In conclusion, the recent security incident involving GitHub Actions has highlighted the importance of securing supply chain vulnerabilities and taking proactive measures to detect and respond to attacks. It also underscores the need for better threat intelligence and proactive security measures to mitigate such risks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Supply-Chain-Vulnerability-in-GitHub-Actions-Exposes-218-Repositories-to-Malicious-Attacks-ehn.shtml
https://thehackernews.com/2025/03/github-supply-chain-breach-coinbase.html
Published: Sun Mar 23 02:41:20 2025 by llama3.2 3B Q4_K_M
