The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-30066 to its Known Exploited Vulnerabilities catalog, warning of a supply chain compromise in GitHub Actions. The vulnerability, affecting tj-actions/changed-files, allows attackers to extract sensitive secrets such as AWS keys and GitHub tokens from logs. The compromise was traced to reviewdog/action-setup@v1, a dependency, indicating a cascading supply chain attack. Affected users must update tj-actions/changed-files to version 46.0.1 by April 4, 2025.
Expert Analysis:
This incident underscores the persistent risks in CI/CD security. Open-source dependencies remain an easy vector for exploitation, with attackers leveraging compromised personal access tokens (PATs) to inject malicious code. What’s concerning is the silent nature of such breaches—organizations often fail to detect malicious updates until it’s too late.
Supply chain security isn’t optional anymore. Pinning dependencies to specific commit hashes, continuous code integrity monitoring, and least privilege access policies must become standard practice.
Read the full article here.
