A critical security incident has been detected involving the widely-used GitHub Action “tj-actions/changed-files”. Step Security is actively investigating the breach and has issued an alert to users urging them to take immediate corrective actions. An official CVE (CVE-2025-30066) has been published to track this incident.
The compromise was detected by Step Security’s Harden-Runner through anomaly detection, triggered by the appearance of an unexpected endpoint in the network traffic. The incident is believed to have started around 9:00 AM PT on March 14th, 2025 (4:00 PM UTC).
The attackers modified the action’s code and retroactively updated multiple version tags to point to the malicious commit. This malicious code then proceeded to print CI/CD secrets in GitHub Actions build logs. If these workflow logs were publicly accessible, as is the case with public repositories, these secrets could be obtained by anyone.
Step Security’s report indicates that the compromised Action executes a malicious Python script designed to dump CI/CD secrets from the Runner Worker process.
The issue was flagged by Step Security’s Harden-Runner solution when an unexpected endpoint was observed in the workflow’s network traffic. In response to the incident, Step Security has released a free secure drop-in replacement for the compromised Action: step-security/changed-files. They strongly recommend that users replace all instances of “tj-actions/changed-files” with this secure alternative.
The “tj-actions/changed-files” GitHub Action is used in over 23,000 repositories, making the scale of this compromise significant. In light of the breach, GitHub has removed the “tj-actions/changed-files” Action, preventing it from being used in GitHub Actions workflows.
Step Security has urged maintainers of public repositories using the compromised Action to review recovery steps immediately, as multiple public repositories have been found to have leaked secrets in build logs. These build logs are publicly accessible, allowing anyone to potentially steal the exposed secrets.
Users are advised to take the following actions:
- Replace the compromised Action: Immediately replace all instances of “tj-actions/changed-files” with Step Security’s secure alternative: step-security/changed-files.
- Review Actions Inventory: Perform a code search across repositories to find all instances of the compromised Action.
- Review GitHub Actions Workflow Run Logs: Check recent executions of the Action for leaked secrets, especially in public repositories.
- Rotate Leaked Secrets: If any secrets are found in the logs, rotate them immediately.
