2025 Surge in Supply Chain Attacks Hits GitHub Actions: What Every DevSecOps Leader Must Know
Executive Summary
In 2025, a surge in supply chain attacks targeted GitHub Actions, leveraging insecure workflows and misconfigured secrets to inject malicious code into the software development pipeline. Attackers exploited open source dependencies and automation gaps, enabling lateral movement and data theft across multiple organizations using compromised CI/CD environments. The incident, revealed through coordinated research at Black Hat Europe, highlighted how adversaries can escalate privileges and bypass traditional defenses by targeting both public and private repositories, resulting in widespread risk for organizations with weak DevSecOps controls.
This incident underscores a pronounced trend: attackers are increasingly focusing on automated development environments and supply chains, not just production workloads. With more organizations adopting GitHub Actions and similar platforms, visibility, zero trust segmentation, and secure automation practices are now critical to thwart sophisticated threat actors targeting the software supply chain.
Why This Matters Now
The rise in attacks against GitHub Actions is urgent because CI/CD pipelines are foundational to modern software delivery, yet often lack sufficient visibility and segmentation. As businesses accelerate DevOps adoption, supply chain risks are now a board-level concern, forcing urgent reassessment of trust, automation, and policy enforcement in development environments.
Attack Path Analysis
Attackers initially compromised the CI/CD pipeline by exploiting a vulnerable GitHub Action or injecting malicious code via a supply chain dependency. They escalated privileges by acquiring access tokens or manipulating pipeline secrets. The adversaries moved laterally within cloud infrastructure, leveraging east-west connections to access additional services or workloads. Command and control was established using encrypted outbound traffic from compromised runners or workloads. Sensitive code, secrets, or data were then exfiltrated via egress channels. Finally, attackers impacted the environment by modifying software artifacts, introducing malicious code into builds, or causing business disruption.
Kill Chain Progression
Initial Compromise
Description
Adversaries exploited a vulnerable GitHub Action or injected malicious code into an open-source dependency used in the pipeline, gaining initial access to the CI/CD environment.
Related CVEs
CVE-2025-30066
CVSS 8.6A supply chain attack on the tj-actions/changed-files GitHub Action allowed remote attackers to access sensitive data by reading actions logs.
Affected Products:
tj-actions changed-files – <= 45.0.7
Exploit Status:
exploited in the wildCVE-2025-30154
CVSS 8.6The reviewdog/action-setup GitHub Action was compromised, leading to the exposure of secrets in GitHub Actions Workflow Logs.
Affected Products:
reviewdog action-setup – v1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise
Compromise CI/CD Pipeline
Compromise Infrastructure
Execution through API
Valid Accounts: Cloud Accounts
Modify Authentication Process: Web Portal
Impair Defenses: Disable or Modify Tools
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change and Testing Procedures
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 9.2
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Monitoring and Risk Assessment
Control ID: Section 3.3.4
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
GitHub Actions supply chain attacks directly target software development workflows, compromising CI/CD pipelines and requiring enhanced zero trust segmentation and threat detection capabilities.
Information Technology/IT
IT infrastructure providers face elevated risks from supply chain compromises affecting development tools, necessitating multicloud visibility and egress security policy enforcement measures.
Financial Services
Financial institutions using GitHub Actions for application development face compliance violations and data exposure risks requiring encrypted traffic protection and anomaly response capabilities.
Health Care / Life Sciences
Healthcare organizations leveraging open source development face HIPAA compliance risks from compromised GitHub workflows, demanding kubernetes security and east-west traffic protection implementations.
Sources
- Supply Chain Attacks Targeting GitHub Actions Increased in 2025https://www.darkreading.com/application-security/supply-chain-attacks-targeting-github-actions-increased-in-2025Verified
- tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs.https://github.com/advisories/ghsa-mrrh-fwg8-r2c3Verified
- CISA Issues Alert on New GitHub Actions Vulnerabilityhttps://www.quorumcyber.com/threat-intelligence/cisa-issues-alert-on-new-github-actions-vulnerability/Verified
- Supply chain attack affecting multiple GitHub actionshttps://www.nudgesecurity.com/post/supply-chain-attack-affecting-multiple-github-actionsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, strict egress controls, real-time threat detection, and comprehensive east-west traffic visibility would have constrained attacker movement, blocked malicious exfiltration, and limited privilege escalation within the cloud CI/CD environment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline policy enforcement can detect and block unauthorized or risky code execution in the pipeline.
Control: Zero Trust Segmentation
Mitigation: Identity-based network segmentation restricts the blast radius of compromised credentials.
Control: East-West Traffic Security
Mitigation: Lateral movement between workloads is detected and blocked by enforcing least privilege flows.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous outbound traffic patterns trigger alerts and block C2 channels.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data export attempts to unknown destinations are blocked.
Centralized visibility ensures rapid detection of malicious pipeline or code changes.
Impact at a Glance
Affected Business Functions
- Software Development
- Continuous Integration/Continuous Deployment (CI/CD)
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive CI/CD secrets, including access keys and tokens, leading to unauthorized access and data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation and microsegmentation for all CI/CD and cloud workloads to reduce lateral movement opportunities.
- • Enforce outbound egress controls and FQDN-based filtering to block unauthorized data exfiltration from pipeline infrastructure.
- • Leverage real-time inline threat detection and anomaly response to identify suspicious pipeline activity or external communications.
- • Apply workload identity and namespace-based segmentation in Kubernetes or cloud-native platforms to isolate build and deploy processes.
- • Centralize multicloud visibility and governance to quickly detect, investigate, and respond to supply chain incidents.
