virus logo Threat Signal Report

GitHub Actions Supply Chain Attack

What is the Attack?

Recently, a popular third-party GitHub Action tj-actions/changed-files (CVE-2025-30066), used by over 23,000 repositories, was compromised, potentially exposing sensitive workflow secrets in any pipeline that integrated it.

Subsequent investigation revealed that the compromise of tj-actions/changed-files may be linked to a similar breach of another GitHub Action, reviewdog/action-setup@v1 (CVE-2025-30154). Multiple Reviewdog actions were affected during a specific timeframe, raising further concerns about the scope of the attack. CVE-2025-30154 · GitHub Advisory Database

GitHub Actions, a widely used CI/CD platform, enables developers to automate software development pipelines with reusable workflow components. The supply chain compromise in this case poses a serious security risk, potentially exposing sensitive secrets such as valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys.

Both vulnerabilities have been assigned CVEs (CVE-2025-30066 and CVE-2025-30154) and have been added to CISA’s Known Exploited Vulnerabilities Catalog. As the investigation is ongoing, we will continue to monitor the situation and provide updates as more information becomes available.

What is the recommended Mitigation?

Review Github Advisory posted at tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs. · CVE-2025-30066 · GitHub Advisory Database · GitHub and follow Mitigation steps as mentioned below:

1. Identify usage: Search for the tj-actions/changed-files action and other actions mentioned above in your repositories to determine whether and where it has been used.

2. Review workflow logs: Examine past workflow runs for evidence of secret exposure and update workflows referencing the compromised commit.

3. Rotate potentially exposed secrets: As a precaution, rotate any secrets that may have been exposed during this timeframe to ensure the continued security of your workflows.

4. Investigate malicious activity: If you encounter any signs that the compromised action has been executed, investigate further for any signs of malicious activity.

See the following additional resource for further guidance:
Security hardening for GitHub Actions - GitHub Docs

What FortiGuard Coverage is available?

  • FortiGuard Labs recommends users to follow instructions and mitigation steps as mentioned on the vendor’s advisory.

  • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

  • FortiGuard IPS signature is added to detect and block any malicious activity related to CVE-2025-30066 and CVE-2025-30154. Intrusion Prevention | FortiGuard Labs

  • Lacework FortiCNAPP provides the following post-exploitation and CI/CD protection capabilities:
    - Anomalous Cloud Activity: Detects unusual access patterns, use of stolen credentials, and suspicious API behavior across AWS, Azure, and GCP.
    - CI/CD Integration: Enables detection of insecure infrastructure code and secrets during build workflows. FortiCNAPP scan results can be used to fail builds and prevent deployment of high-severity risks when integrated with CI/CD pipelines (e.g. GitHub Actions, GitLab CI)
    - Workload Threat Detection: Identifies runtime behaviors such as encoded exfiltration attempts, unexpected process activity, or behavior indicative of credential harvesting.
    - IaC and Secrets Scanning: Prevents misconfigurations and hardcoded secrets in Terraform, Kubernetes, and CI workflows.

  • FortiGuard Labs will provide updates as more information becomes available.

Additional Resources

Step Security
Github Advisory
CISA Advisory
Infrastructure-as-Code Security | Lacework FortiCNAPP | Fortinet Document Library
Default Cloud Anomaly Policies | Lacework FortiCNAPP | Fortinet Document Library
Workload Alerts Reference | Lacework FortiCNAPP | Fortinet Document Library


Released Date Mar 25, 2025
Tags Threat Signal
CVE ID

Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
About FortiGuard Threat Signal

Learn More »