DevOps reports:
A popular GitHub Action used in more than 23,000 code repositories has been compromised in a supply chain attack by attackers who introduced a malicious commit aimed at leaking secrets like passwords held in public repositories.
In the compromise, which is being tracked as CVE-2025-30066, bad actors modified the code in GitHub Actions tj-actions/changed-files – which is used by repositories to track change files – by injecting a Node.js function that includes base64-encoded instructions that download a malicious Python script that scans the memory of GitHub Runner, which runs jobs from a GitHub Actions workflow.
GitHub Runner’s memory holds passwords and other credentials used in the continuous integration and continuous delivery (CI/CD) pipeline.
“The compromised Action prints CI/CD secrets in GitHub Actions build logs. If the workflow logs are publicly accessible (such as in public repositories), anyone could potentially read these logs and obtain exposed secrets,” Varun Sharma, co-founder and CEO of startup StepSecurity, wrote in a report.
Read more at DevOps.com.
