Best of 2025: GitHub Action Compromise Risks Data Leaks For 23,000 Repositories
devops.com, Thursday, January 1st, 2026
A popular GitHub Action used in more than 23,000 code repositories has been compromised in a supply chain attack by attackers who introduced a malicious commit aimed at leaking secrets like passwords held in public repositories.
In the compromise, which is being tracked as CVE-2025-30066, bad actors modified the code in GitHub Actions tj-actions/changed-files - which is used by repositories to track change files - by injecting a Node.js function that includes base64-encoded instructions that download a malicious Python script that scans the memory of GitHub Runner, which runs jobs from a GitHub Actions workflow.
GitHub Runner's memory holds passwords and other credentials used in the continuous integration and continuous delivery (CI/CD) pipeline.