• Table of Contents
By Alon Klayman and Tomer Kachlon, Team AXON

Note: To facilitate the investigation efforts, we created a tool to look for potential exploitations in GitHub workflow logs; it can be found in the 'Investigation & Response Tool' section below.

Introduction

Supply chain attacks have become increasingly common, with several high-profile incidents in recent months. Cases such as the Chrome Extension malicious campaign, the XZ Utils compromise, and others highlight the significant impact of these attacks.

March 2025 has introduced yet another alarming example of this threat—this time targeting GitHub Actions. The month began with the compromise of the popular tj-actions/changed-files GitHub Action and was followed by the potential discovery of malicious activity involving reviewdog/action-setup. Evidence suggests that the threat actor leveraged this action as a stepping stone to infiltrate and gain access to tj-actions GitHub Actions, further emphasizing the growing risk to the software supply chain.

Threat Summary

A recently disclosed CI/CD supply-chain attack has compromised multiple widely used GitHub Actions, initially impacting several reviewdog actions before expanding to additional repositories, including tj-actions/changed-files. Tracked as CVE-2025-30066 (and CVE-2025-30154), this attack involved injecting malicious code designed to exfiltrate sensitive CI/CD secrets by logging them into GitHub Actions workflow logs. The attack method leveraged unauthorized modifications to repository tags, redirecting the affected GitHub actions users to a malicious commit, which affected not only the latest version but also prior versions of these actions.

This campaign presents a significant risk to organizations relying on the affected GitHub Actions for automation, particularly those using affected actions in public repositories, where workflow logs are openly accessible, making it easier for attackers to extract secrets. While the risk is lower for private repositories, the presence of secrets in logs is still a critical security concern. Additionally, while the malicious commits within each attack followed a consistent exfiltration method, there were differences between the tj-actions and reviewdog compromises. This suggests that, while probably related, they involved slightly different variations of malicious GitHub Actions. 

With the scope of compromise still evolving, the possibility of further repository takeovers or recurrence remains a concern, particularly for the reviewdog repositories, where the exact compromise method is still uncertain. This attack highlights the growing risks in CI/CD security, emphasizing the need for continuous monitoring, proactive threat-hunting, and urgent mitigation measures to prevent further exposure of sensitive credentials and unauthorized access to organizational infrastructure.

Update: According to Palo Alto’s latest publication, this threat campaign likely began as a targeted attack against Coinbase repositories. The threat actor initially leveraged the compromised tj-actions and reviewdog repositories to gain unauthorized access to at least one of Coinbase’s repositories. Over time, the campaign evolved into a broader attack, indiscriminately targeting multiple version tags of tj-actions/changed-files. A malicious commit was introduced that exfiltrates GitHub runner secrets without applying any specific filters—such as references to Coinbase—indicating a shift from a focused operation to a widespread campaign.

TL;DR - Visualized Attack Details

The following diagram visually summarizes the flow of the threat campaign:

GitHub Actions Supply Chain Attack(s): tj-actions & reviewdogSource: Alon Klayman and Tomer Kachlon, Team AXON 

Recommended Action Items

Given the severity and evolving nature of this CI/CD supply-chain attack, we strongly recommend organizations take immediate action to mitigate potential risks. The following steps should be implemented as soon as possible:

1. Cease Usage of Affected GitHub Actions

Avoid using any version of the following compromised GitHub Actions unless a clear confirmation of a security fix:

  • tj-actions/changed-files
  • tj-actions/eslint-changed-files
  • reviewdog/action-setup
  • reviewdog/action-shellcheck
  • reviewdog/action-composite-template
  • reviewdog/action-staticcheck
  • reviewdog/action-ast-grep
  • reviewdog/action-typos

Additionally, due to the uncertainty surrounding the reviewdog compromise, consider treating all reviewdog repositories as potentially compromised until further clarification. 

2. Remove References Across All Branches

Ensure that all references to the compromised GitHub Actions are removed from all branches across repositories, not just the main branch. This step prevents unintended execution in environments where old workflow configurations might still exist.

3. Conduct a Code Search for Exposure

Perform a comprehensive code search to identify any usage of the affected actions in your repositories. Use the following GitHub search queries to locate references within your organization: 

https://github.com/search?q=org%3A<insert-your-github-org-name>%20uses%3A%20tj-actions%2Fchanged-files%20language%3AYAML%20path%3A.github%2F&type=code

https://github.com/search?q=org%3A<insert-your-github-org-name>+(reviewdog%2Faction-setup+OR+reviewdog%2Faction-shellcheck+OR+reviewdog%2Faction-composite-template+OR+reviewdog%2Faction-staticcheck+OR+reviewdog%2Faction-ast-grep+OR+reviewdog%2Faction-typos+OR+tj-actions%2Fchanged-files+OR+tj-actions%2Feslint-changed-files)+language%3AYAML+path%3A.github%2F&type=code

 https://github.com/search?q=org%3A<insert-your-github-org-name>+reviewdog+language%3AYAML+path%3A.github%2F&type=code

 These searches will help identify workflow files where the compromised actions were used.

4. Review GitHub Actions Workflow Logs

  • Analyze your GitHub Actions workflow run logs for indications of exposure. Specifically, look for:
    • Any execution referencing tj-actions/changed-files or tj-actions/eslint-changed-files
    • Workflows pointing to vulnerable tags or branches

Any executions involving actions created by the reviewdog organization

  • Any suspicious findings should be investigated further to assess the extent of potential exposure.

Note: AXON’s Rapid Response Tool for Investigating GitHub Actions Compromise (found in the Investigation & Response Tool section below) can facilitate the investigation process.

5. Secret Rotation if Exposure is Detected

If any affected actions were used in your workflows, assume that secrets may have been exposed. Immediately rotate all secrets that were accessible within those workflows.

6. Securely Handle Workflow Logs
  • Delete affected workflow logs to limit further exposure of secrets.
  • However, before deletion, securely store copies of relevant logs in case of a future need for forensic analysis.

7. Improve Security for Future Protection

  • To reduce exposure to similar attacks in the future, consider pinning GitHub Actions by commit hash instead of using version tags - using the full-length commit hash reduces the risk of a malicious actor modifying the code in a later update.
  • Monitor and ingest GitHub audit logs into your SIEM solution.

By following these recommendations, organizations can minimize the risk of compromise and improve their resilience against CI/CD supply-chain attacks.


Investigation & Response Tool

AXON’s Rapid Response Tool for Investigating GitHub Actions Compromise

To support security teams in the community with investigating and responding to this supply-chain attack, Hunters' AXON team has developed a Python tool designed to analyze exported GitHub workflow logs for indicators of compromise.

To assist with collecting workflow logs, we’ve also published a script that uses the GitHub CLI to fetch logs for all workflow runs in a repository. The script can be found on AXON’s GitHub Page:

  • Linux/macOS: Link
  • Windows PowerShell: Link

The tool specifically looks for double-base64 encoded content, a key characteristic of this attack, and performs a double-decoding process to detect the presence of “isSecret”.

If a double-decoded string contains the “isSecret” value, it is highly likely that a secret was dumped from GitHub runner memory, making this an effective method for identifying potential exposures.

The script below is also available in AXON’s Rapid Response GitHub repository: https://github.com/axon-git/rapid-response/blob/main/GitHub%20Actions%20Supply%20Chain%20-%20tj-actions_reviewdog/cve_2025_30066_scanner.py

If you encounter false positives or unexpected findings while using the tool, we encourage you to reach out and share your insights with us.

 

Resources

The following resources were used as part of the research conducted by team AXON, and for the investigation tool creation:

Written by Alon Klayman and Tomer Kachlon, Team AXON