Executive Summary
In March 2025, a significant supply chain attack targeted GitHub Actions, specifically compromising the widely-used 'tj-actions/changed-files' repository. Attackers injected malicious code into this action, causing it to expose sensitive secrets from Continuous Integration/Continuous Deployment (CI/CD) workflows by printing them into public logs. This breach, identified as CVE-2025-30066, affected thousands of repositories relying on the compromised action, leading to potential unauthorized access and data breaches.
This incident underscores the escalating threats to software supply chains, particularly within CI/CD environments. It highlights the critical need for organizations to implement stringent security measures, such as pinning dependencies to specific versions, regularly auditing third-party components, and enhancing monitoring of CI/CD pipelines to detect and mitigate such vulnerabilities promptly.
Why This Matters Now
The GitHub Actions supply chain attack of 2025 serves as a stark reminder of the vulnerabilities inherent in CI/CD pipelines. As software development increasingly relies on automation and third-party tools, the risk of similar supply chain attacks grows. Organizations must prioritize securing their development workflows to prevent potential data breaches and maintain trust in their software delivery processes.
Attack Path Analysis
An attacker compromised a GitHub Actions workflow by injecting malicious code, leading to the exfiltration of sensitive secrets. These secrets enabled the attacker to escalate privileges and move laterally across repositories, establishing command and control channels. Subsequently, the attacker exfiltrated additional data, culminating in the distribution of malicious packages to downstream users.
Kill Chain Progression
Initial Compromise
Description
The attacker injected malicious code into a GitHub Actions workflow by compromising a maintainer's account.
Related CVEs
CVE-2025-30066
CVSS 8.6A compromised GitHub Action 'tj-actions/changed-files' exposed sensitive workflow secrets in CI/CD pipelines.
Affected Products:
GitHub GitHub Actions – N/A
Exploit Status:
exploited in the wildReferences:
CVE-2025-30154
CVSS 8.6A compromised GitHub Action 'reviewdog/action-setup' potentially exposed sensitive workflow secrets in CI/CD pipelines.
Affected Products:
GitHub GitHub Actions – N/A
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise
Compromise Software Dependencies and Development Tools
Poisoned Pipeline Execution
Unsecured Credentials: Credentials in Files
Use Alternate Authentication Material: Application Access Token
Command and Scripting Interpreter
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Supply Chain Protection
Control ID: SA-12
PCI DSS 4.0 – Secure Development Practices
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Training and Monitoring
Control ID: 500.14
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA Zero Trust Maturity Model 2.0 – Identity Governance and Administration
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply-chain attacks targeting GitHub Actions workflows expose software development pipelines to malicious package injection, secret exfiltration, and compromised CI/CD security controls.
Banking/Mortgage
Open source supply chain vulnerabilities threaten financial institutions' software dependencies, enabling attackers to exfiltrate API keys and compromise secure transaction systems.
Health Care / Life Sciences
Healthcare software relying on npm packages faces HIPAA compliance risks from malicious dependencies that could compromise patient data through secret exfiltration attacks.
Government Administration
Government agencies using GitHub Actions workflows are vulnerable to supply-chain attacks that could compromise sensitive systems through malicious package propagation and credential theft.
Sources
- Securing the open source supply chain across GitHubhttps://github.blog/security/supply-chain-security/securing-the-open-source-supply-chain-across-github/Verified
- GitHub Actions supply chain attack spotlights CI/CD riskshttps://www.techtarget.com/searchITOperations/news/366621078/GitHub-Actions-supply-chain-attack-spotlights-CI-CD-risksVerified
- Supply chain attack via GitHub Actionhttps://www.kaspersky.com/blog/malicious-github-action-changed-files/53179/Verified
- GitHub Actions Supply Chain Attackhttps://www.fortiguard.com/threat-signal-report/6052/github-actions-supply-chain-attackVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to escalate privileges and move laterally across repositories, thereby reducing the blast radius of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit compromised credentials to inject malicious code into workflows could have been constrained, potentially limiting unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges using stolen secrets could have been limited, potentially restricting unauthorized access to sensitive repositories.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement across repositories could have been constrained, potentially limiting unauthorized access to additional repositories.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels could have been limited, potentially restricting unauthorized remote control.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data could have been constrained, potentially limiting unauthorized data transfer.
The attacker's ability to distribute malicious packages could have been limited, potentially reducing the scope of downstream compromise.
Impact at a Glance
Affected Business Functions
- Software Development
- Continuous Integration/Continuous Deployment (CI/CD)
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive workflow secrets, including API keys and access tokens.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access controls and limit lateral movement.
- • Utilize Multicloud Visibility & Control to monitor and manage security policies across all cloud environments.
- • Deploy Egress Security & Policy Enforcement to restrict unauthorized outbound traffic and prevent data exfiltration.
- • Apply Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.
- • Regularly review and update security policies to adapt to evolving threats and vulnerabilities.
