GitHub Restores Compromised Open-Source Tool After Security Breach

GitHub has restored tj-actions/changed-files, a widely used GitHub Action with over 1 million monthly downloads, after attackers injected malicious code, exposing CI/CD secrets in public logs (CVE-2025-30066).

The breach, discovered by StepSecurity, impacted 23,000+ organizations using the tool to track file changes in pull requests. Attackers exploited vulnerabilities to leak sensitive credentials like AWS keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. If logs were publicly accessible, unauthorized users could retrieve these secrets, posing a major security risk.

By Saturday evening, GitHub suspended compromised accounts, removed malicious changes, and restored the tool after verifying security fixes. Despite these measures, security experts caution that similar attacks on CI/CD pipelines will likely increase as they remain high-value targets for threat actors.

What Developers Should Do Now

• Review GitHub Actions carefully before updating. Ensure the integrity of dependencies.
• Rotate any potentially exposed credentials. This includes API keys, access tokens, and encryption keys.
• Implement cryptographic signing for code submissions. Requiring verified commits can prevent unauthorized changes.
• Enhance monitoring and auditing. Regularly review build logs and repository activity for anomalies.

Experts stress that open-source supply chains remain vulnerable, and organizations must adopt proactive security practices to safeguard their software pipelines.