Supply Chain Compromise of Third-Party tj-actions/changed-files (CVE-2025-30066) and reviewdog/action-setup@v1 (CVE-2025-30154)

Supply Chain Compromise of Third-Party tj-actions/changed-files (CVE-2025-30066) and reviewdog/action-setup@v1 (CVE-2025-30154)

https://www.cisa.gov/cybersecurity-advisories/alerts.xml / Wed, 03/26/2025 - 21:03

A popular third-party GitHub Action, tj-actions/changed-files (tracked as CVE-2025-30066), was compromised. tj-actions/changed-files is designed to detect which files have changed in a pull request or commit. The supply chain compromise allows for information disclosure of secrets including, but not limited to, valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. This has been patched in v46.0.1. 

(Updated March 19, 2025) The compromise of tj-actions/changed-files was potentially enabled by a compromise of another GitHub Action, reviewdog/action-setup@v1 (tracked as CVE-2025-30154), which occurred around the same time. The following Actions may also be affected:  

  • reviewdog/action-shellcheck 
  • reviewdog/action-composite-template 
  • reviewdog/action-staticcheck 
  • reviewdog/action-ast-grep 
  • reviewdog/action-typos 


(Updated March 26, 2025) CISA added CVE-2025-30066 and CVE-2025-30154 to its Known Exploited Vulnerabilities Catalog

CISA strongly urges users to implement the following recommendations to mitigate this compromise. If your organization is impacted:  

(Updated March 26, 2025) 

  • Identify affected repositories. Conduct an audit to locate all projects using all versions of tj-actions/changed-files between 2025-03-12 00:00 UTC to 2025-03-15 12:00 UTC in your organization and/or the reviewdog/action between March 11, 2025, between 18:42 and 20:31 UTC.  
  • Identify exposed secrets. For public repositories with workflows that ran the malicious commit, check for exposed access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. Note: Secrets may be obfuscated as a double-encoded base64 payload. 
  • Rotate all identified secrets immediately as they should be considered compromised. 


Organizations should investigate and report incidents and malicious activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.  

See the following resources for more guidance to reduce risk when using third-party GitHub Actions: 


This alert is provided “as is” for informational purposes only. CISA does not provide any warranties of any kind regarding any information within. CISA does not endorse any commercial product, entity, or service referenced in this alert or otherwise. 

About

Kenya Education Network CERT(KENET-CERT) is a Cybersecurity Emergency Response Team and Co-ordination Center operated by the National Research and Education Network of Kenya. KENET-CERT coordination center promotes awareness on cybersecurity incidences as well as coordinates and assists member institutions in responding effectively to cyber security threats and incidences. KENET-CERT works closely with Kenya's National CIRT coordination center (CIRT/CC) as a sector CIRT for the academic institutions. KENET promotes use of ICT in Teaching, Learning and Research in Higher Education Institutions in Kenya. KENET aims to interconnect all the Universities, Tertiary and Research Institutions in Kenya by setting up a cost effective and sustainable private network with high speed access to the global Internet. KENET also facilitates electronic communication among students and faculties in member institutions, share learning and teaching resources by collaboration in Research and Development of Educational content.