Compromise of tj-actions/changed-files GitHub Action, CVE-2025-30066

A popular third-party GitHub Action, tj-actions/changed-files (tracked as CVE-2025-30066), was compromised. This GitHub Action is designed to detect which files have changed in a pull request or commit. The supply chain compromise allows for information disclosure of secrets including, but not limited to, valid access keys, GitHub Personal Access Tokens (PATs), network performance management (NPM) tokens, and private Runtime Security Agent (RSA) keys. This has been patched in v46.0.1. 

Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-30066 to its Known Exploited Vulnerabilities (KEV) Catalog. 

CISA strongly urges users to implement the recommendations to mitigate this compromise and strengthen security when using third-party actions. 

See the following resources for more guidance: 

• GitHub: tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs  

• GitHub: Security hardening for GitHub Actions - GitHub Docs 

• GitHub: tj-actions/changed-files: :octocat: Github action to retrieve all (added, copied, modified, deleted, renamed, type changed, unmerged, unknown) files and directories 

• StepSecurity: Harden-Runner detection: tj-actions/changed-files action is compromised 

• Wiz: GitHub Action tj-actions/changed-files supply chain attack 

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870. 

This alert is provided “as is” for informational purposes only. CISA does not provide any warranties of any kind regarding any information within. CISA does not endorse any commercial product, entity, or service referenced in this alert or otherwise.