GitHub Action Supply Chain Attack Exposes Secrets: What You Need to Know and How to Respond

In March 2025, a breach involving the popular GitHub Action, tj-actions/changed-files, exposed sensitive secrets from public repository logs due to a malicious payload embedded in CI/CD workflows. The attacker impersonated the Renovate Bot user, altering version tags to execute scripts that exposed encoded secrets in public logs, although there is no evidence of exfiltration to an attacker-controlled server. This incident, known as CVE-2025-30066, poses significant risks to public repositories, as leaked secrets may include cloud credentials and access tokens, potentially allowing unauthorized access to cloud resources. Organizations that used this GitHub Action must quickly rotate affected credentials, review CI/CD pipeline security, and ensure that stringent monitoring and dependency controls are in place. The breach illustrates the growing threat of software supply chain attacks, emphasizing the need for real-time monitoring and rapid response capabilities, such as those offered by tools like Stream.Security, to detect and mitigate such threats effectively.