Read Time:2 Minute, 1 Second
What is the Attack?Recently, a popular third-party GitHub Action tj-actions/changed-files GitHub Action (CVE-2025-30066)- used by over 23,000 repositories- was compromised, potentially exposing sensitive workflow secrets in any pipeline that integrated it.It was later discovered that the compromise of tj-actions/changed-files may be due to a similar compromise of another GitHub Action, reviewdog/action-setup@v1 (tracked as CVE-2025-30154). Multiple Reviewdog actions were compromised during a specific time period · CVE-2025-30154 · GitHub Advisory Database · GitHubGitHub Actions is a powerful CI/CD platform that enables users to automate their software development pipelines. Individual actions can be packaged as reusable workflow components, making them widely adoptable across projects. The supply chain compromise allows for information disclosure of secrets including, but not limited to, valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys.Both the issues have been assigned CVE numbers (CVE-2025-30066, CVE-2025-30154) and have been added to CISA’s Known Exploited Vulnerabilities Catalog. As this is an ongoing investigation, we will continue to monitor the situation and provide updates as more information becomes available.What is the recommended Mitigation?Review Github Advisory posted at https://github.com/advisories/GHSA-mrrh-fwg8-r2c3 and follow Mitigation steps as mentioned below:1. Identify usage: Search for the tj-actions/changed-files action and other actions mentioned above in your repositories to determine whether and where it has been used.2. Review workflow logs: Examine past workflow runs for evidence of secret exposure and update workflows referencing the compromised commit.3. Rotate potentially exposed secrets: As a precaution, rotate any secrets that may have been exposed during this timeframe to ensure the continued security of your workflows.4. Investigate malicious activity: If you encounter any signs that the compromised action has been executed, investigate further for any signs of malicious activity.See the following additional resource for further guidance:Security hardening for GitHub Actions – GitHub DocsWhat FortiGuard Coverage is available?FortiGuard Labs recommends users to follow instructions and mitigation steps as mentioned on the vendor’s advisory.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.FortiGuard IPS signature is added to detect and block any malicious activity related to CVE-2025-30066 and CVE-2025-30154. Intrusion Prevention | FortiGuard LabsFortiGuard Labs will provide updates as more information and protections become available.
