On March 14, 2025, Step Security reported that many versions of the GitHub Action `tj-actions/changed-files` and `tj-actions/eslint-changed-files` contain malicious code that causes credentials and other secrets and sensitive information to be written to GitHub Actions Workflow run logs in unredacted forms. Anyone with access to these logs — in most cases, anyone with read access to the repository — then has access to these secrets. This issue appears to be rooted in several compromised `reviewdog` Actions as reported by Wiz.
This issue has been assigned CVE-2025-30066. Checkmarx Zero has released a free Python script to aid in identification and response, as well as developed a web query that can be adapted to search your organization for affected workflows (just replace `your_org_here` with your GitHub Organization name).
Issue
- GitHub Action `tj-actions/changed-files` is compromised and causes sensitive information to leak into run logs. Run logs are accessible to anyone with ‘read’ access to a repository.
- The underlying compromise may be the result of malicious code in one or more GitHub Actions published by the `reviewdog` organization.
- If you use affected actions in any GitHub Actions Workflow, you should assume any secret or sensitive information that Workflow accesses has been leaked to all users with read access to the repository:
- reviewdog/action-setup
- reviewdog/action-shellcheck
- reviewdog/action-composite-template
- reviewdog/action-staticcheck
- reviewdog/action-ast-grep
- reviewdog/action-typos
- tj-actions/changed-files
- tj-actions/eslint-changed-files
Recommended Response
- Restrict access to GitHub repositories until each has been audited and any compromised credentials rotated. This may require temporarily changing Public repositories to Private or Internal for your organization.
- Audit GitHub Actions Workflow files; replace any affected Actions with safer versions. See [Find Indicators of Compromise] below. Step Security has provided `step-security/changed-files` as a drop-in replacement for `tj-actions/changed-files`. No such replacement exists at time of publication for `reviewdog` actions.
- Audit GitHub Actions Workflow run logs and identify secrets that were exposed. Rotate any secrets that have security value. The free, open-source tool “2MS (Too Many Secrets)” provided by Checkmarx Zero can assist in quickly identifying secrets in downloaded log files.
- Examine access logs for any systems for which credentials may have leaked; determine if further investigations or responses are necessary based on evidence of adversarial activity.
Find Indicators of Compromise
- Determine what repositories and Organizations you have on GitHub, and which are using GitHub Actions; if you are not using GitHub, or not making use of GitHub Actions workflows, you are not affected by this issue.
- Examine GitHub Actions workflow files (.yml files in .github/workflow directories, mainly) for evidence of affected actions. Note that transitive relationships, where an otherwise-safe action in turn uses the malicious action, are still potentially risky. Use the Checkmarx Zero detection tool (a python script) to quickly identify direct Action dependencies across your organization. You can also use this GitHub search link (replacing `your_org_here` with your GitHub Organization name), developed by Checkmarx Zero, to search for potential indicators of use.
- Remove affected steps; or, replace the affected steps with known-safe alternatives. 4. Search run log files for secrets that may have been exposed, using 2MS or similar secrets scanning tool.
- Rotate any discovered credentials or related secrets, following your usual secrets leak response plan.
Analysis
GitHub Actions are reusable components within the GitHub Continuous Integration (CI) ecosystem; most of them are open-source code and configuration files that development and DevOps teams can easily reference in their CI/CD Workflows. This allows teams to gain productivity and quality advantages by reusing well-tested solutions to common requirements during the build, test, and deployment activities that are part of modern software development practices.
This issue is the result of an adversary exploiting the trust within the open-source ecosystem to merge malicious content into trusted GitHub Actions, combined with the necessity of trusting the execution of CI/CD runner environments.
The adversary compromised several popular, reusable GitHub Actions that perform useful tasks — in this case, providing the build process with a list of what files have changed since the last commit, which can be used to help reduce build and test costs — and abused the trusted position such actions have within Workflows. Namely, the ability to access sensitive data such as secrets. When these compromised actions run, they are able to examine secrets that have been provided to the Workflow in question, then bypass GitHub’s process for redacting secrets from run logs in order to exfiltrate the data.
As a result, the adversary can examine any run logs to which they have access. The most obvious exfiltration path is with Public repositories, since run logs from such repositories are generally available to everyone.
Should I be concerned?
If you use GitHub to store source code, and if you use GitHub Actions workflows in any of those repositories, you are potentially affected if you make use of any of the compromised reusable Actions.
If you have public repositories that use one of the compromised actions, you should assume that any secrets used in GitHub Workflows for those repositories have been leaked and should be rotated. Remove public access temporarily, remove or replace the affected actions with safe alternatives, rotate affected secrets, and restore public access once remediation is complete.
For internal / private repositories that use one of the compromised actions, be aware that secrets may have been leaked to any user with any level of access to those repositories. Replace the compromised actions. We recommend rotating secrets as a matter of caution; however, you may prioritize this action based on the scope of access and related risk and threat assessments for your specific case.
Protecting your organization in the future
Defensive steps that limit the likelihood and impact of this class of risk include:
- Routinely examine reusable GitHub Actions and similar CI steps before and after you adopt them.
- Pin versions of Actions to avoid unexpectedly inheriting new malicious code. The safest option is to pin the exact commit hash of the Action.
- Adopt Supply Chain Security (SCS) tools – remember that GitHub Actions are not the only vector for malicious actors; any third-party component can be.
- Routinely monitor run logs, code, and other common “leaky” assets for disclosure of credentials and similar secrets using a Secrets Detection tool.
Summary
Malicious packages in supply chains pose real, day-to-day risks for organizations. CVE-2025-30066 is just one example of how a malicious actor can abuse the trust developers place in open-source components as part of a campaign to acquire useful credentials for your organization.
Use our free detection tool to help you figure out if your organization has been affected, and begin the process of rotating affected credentials and remediating the underlying issue.