GitHub vulnerability CVE-2025-30066 is now actively exploited, posing a major threat to developers and organizations using GitHub Actions.
According to a recent report, attackers targeted a GitHub Action called tj-actions/changed-files to access sensitive data. They injected malicious code into workflows by exploiting a supply chain weakness.
The attack allows hackers to steal secrets from action logs. These secrets may include AWS keys, GitHub tokens, npm credentials, and even private RSA keys.
Researchers believe this started as a cascading supply chain attack. Specifically, threat actors compromised another GitHub Action, reviewdog/action-setup@v1. That action was used as a dependency within tj-actions/changed-files.
Therefore, when developers used the tj-actions Action, they unknowingly triggered the infected script. The script included a Base64-encoded payload inside a file called install.sh.
This payload exposed repository secrets by printing them to logs. For example, access tokens stored in the workflow environment could be leaked to attackers.
The exploit only affects version tag v1 of the reviewdog setup Action. However, since it was widely used, the impact is significant.
The attackers gained access through a stolen GitHub Personal Access Token (PAT). With this token, they updated the v1 tag to point to malicious code.
Because the reviewdog organization allows many contributors, the risk of future compromise remains. In fact, adding contributors through automation may have increased that risk.
How to Stay Protected
To defend against this threat, update to tj-actions/changed-files@v46.0.1 immediately. Also, avoid using version tags—pin your GitHub Actions to specific commit hashes instead.
Next, review past CI/CD logs for unusual output. Rotate all secrets exposed in past builds, including tokens and keys.
Moreover, limit contributor access and avoid automated invites where possible. Use GitHub’s built-in security alerts to monitor changes. By combining version control best practices with careful monitoring, developers can reduce the chances of another widespread attack.
Sleep well, we got you covered.
