Supply Chain Compromise of Third-Party tj-actions/changed-files (CVE-2025-30066) and reviewdog/action-setup@v1 (CVE-2025-30154)

A popular third-party GitHub Action, tj-actions/changed-files (tracked as CVE-2025-30066), was compromised. tj-actions/changed-files is designed to detect which files have changed in a pull request or commit. The supply chain compromise allows for information disclosure of secrets including, but not limited to, valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. This has been patched in v46.0.1.

(Updated March 19, 2025) The compromise of tj-actions/changed-files was potentially enabled by a compromise of another GitHub Action, reviewdog/action-setup@v1 (tracked as CVE-2025-30154), which occurred around the same time. The following Actions may also be affected: 

reviewdog/action-shellcheck

reviewdog/action-composite-template

reviewdog/action-staticcheck

reviewdog/action-ast-grep

reviewdog/action-typos

(Updated March 26, 2025) CISA added CVE-2025-30066 and CVE-2025-30154 to its Known Exploited Vulnerabilities Catalog.

CISA strongly urges users to implement the following recommendations to mitigate this compromise. If your organization is impacted:

(Updated March 26, 2025)

Identify affected repositories. Conduct an audit to locate all projects using all versions of tj-actions/changed-files between 2025-03-12 00:00 UTC to 2025-03-15 12:00 UTC in your organization and/or the reviewdog/action between March 11, 2025, between 18:42 and 20:31 UTC.

Identify exposed secrets. For public repositories with workflows that ran the malicious commit, check for exposed access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. Note: Secrets may be obfuscated as a double-encoded base64 payload.

Rotate all identified secrets immediately as they should be considered compromised.

Update to latest version of reviewdog/action-setup@3f401fe and/or follow these instructions provided by GitHub.

Organizations should investigate and report incidents and malicious activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. 

See the following resources for more guidance to reduce risk when using third-party GitHub Actions:

GitHub: tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs

GitHub: Security hardening for GitHub Actions - GitHub Docs

GitHub: tj-actions/changed-files: :octocat: Github action to retrieve all (added, copied, modified, deleted, renamed, type changed, unmerged, unknown) files and directories

StepSecurity: Harden-Runner detection: tj-actions/changed-files action is compromised

Wiz: GitHub Action tj-actions/changed-files supply chain attack

(Updated March 19, 2025) GitHub: Multiple Reviewdog actions were compromised during a specific time period · CVE-2025-30154 · GitHub Advisory Database

(Updated March 26, 2025) Semgrep: Popular GitHub Action tj-actions/changed-files is compromised

This alert is provided “as is” for informational purposes only. CISA does not provide any warranties of any kind regarding any information within. CISA does not endorse any commercial product, entity, or service referenced in this alert or otherwise.

This product is provided subject to this Notification and this Privacy & Use policy.

Supply Chain Compromise of Third-Party tj-actions/changed-files (CVE-2025-30066) and reviewdog/action-setup@v1 (CVE-2025-30154)

Please share your thoughts