GitHub hacked. Action Supply Chain Attack: What Developers Need to Know

herbertmoroni — Tue, 18 Mar 2025 01:29:40 +0000

A tool called tj-actions/changed-files that many developers use in GitHub to track file changes was hacked. Someone took control of this tool and modified it to:

Secretly scan for passwords and secret keys in your project
Hide these secrets in your project's logs
Make these secrets visible to anyone who looks at public project logs

This is called a "supply chain attack" because hackers didn't attack you directly - they attacked a tool you rely on in your development supply chain. The CVE number (CVE-2025-30066) is just an official tracking ID for this security issue.

If you use this tool in your GitHub projects, you need to check if your passwords or secret keys were exposed and change them immediately.

How do I know if I'm affected?

You may be affected if:

You use the tj-actions/changed-files action in any of your workflows
You ran workflows with this action between March 1-15, 2025
You store secrets or credentials in GitHub that your workflows can access

To check:

Look in your .github/workflows folder for any YAML files (.yml or .yaml)
Search these files for tj-actions/changed-files
Check your workflow logs for suspicious base64-encoded strings (they look like random characters, often ending with ==)

What should I do if I'm affected?

Change all your secrets immediately
- GitHub personal access tokens
- API keys for any services
- Database passwords
- Cloud provider credentials (AWS, GCP, Azure)
Check for unauthorized activity
- Look for unexpected commits or changes to your repository
- Review access logs for your cloud resources
- Check for unusual API calls or account activity
Fix your workflows
- Remove the compromised action
- If you need this functionality, replace with a verified alternative
- Pin all actions to specific commit hashes instead of version tags

How can I protect myself from future supply chain attacks?

Even if you weren't affected, follow these practices:

Never use version tags in GitHub Actions

   # UNSAFE - can be hijacked
   - uses: some-action/example@v2

   # SAFE - points to specific immutable commit
   - uses: some-action/example@abc123def456...

Limit access to secrets
- Only provide secrets to jobs that absolutely need them
- Use separate, limited-scope tokens for CI/CD
Regularly rotate credentials
- Change tokens and passwords on a schedule
- Immediately rotate credentials when team members leave
Audit your dependencies
- Periodically review which actions your workflows use
- Check for security advisories before updating

Why do supply chain attacks matter?

Supply chain attacks are particularly dangerous because:

They exploit trust in established tools
They can affect thousands of developers at once
They're often hard to detect until damage is done

By being vigilant about which tools you use and how you configure them, you can significantly reduce your exposure to these attacks.

This article addresses the March 2025 compromise of tj-actions/changed-files (CVE-2025-30066).

DEV Community: herbertmoroni

GitHub hacked. Action Supply Chain Attack: What Developers Need to Know

How do I know if I'm affected?

What should I do if I'm affected?

How can I protect myself from future supply chain attacks?

Why do supply chain attacks matter?