Massive Supply Chain Attack on GitHub Actions

A major supply chain attack targeted GitHub Actions, one of the most widely used automation platforms in modern software development. The incident involved the compromise of the popular open-source Action tj-actions/changed-files, which had been adopted in more than 23,000 repositories. Researchers discovered that malicious code had been injected into the Action, enabling the exfiltration of sensitive secrets such as API keys and authentication tokens directly through workflow logs.
The breach was detected on 14 March 2025 by security experts at StepSecurity, who identified suspicious commits in the repository. Subsequent analysis revealed that the attackers had gained access through a dependency compromise in reviewdog/action-setup, likely via a leaked personal access token. This access allowed the insertion of malicious code that silently leaked secrets whenever the Action was executed. The exposure period, between 12 and 15 March 2025, placed thousands of organizations at risk, including high-profile enterprises such as Coinbase.
The issue was remediated by 20 March 2025, and the vulnerability was catalogued under CVE-2025-30066. Security vendors including Unit42, Wiz, Cycode, and Sysdig have urged organizations to rotate all secrets, audit logs for evidence of exposure, and strengthen dependency management. The incident underscores the systemic risks of open-source supply chains.