Detecting and Mitigating the "tj-actions/changed-files" Supply Chain Attack (CVE-2025-30066)

A recent supply chain attack on the GitHub Action "tj-actions/changed-files," identified as CVE-2025-30066, has compromised tens of thousands of repositories by injecting malicious code that extracts sensitive credentials from GitHub Runner's memory and stores them in build logs. The attack, executed on March 12, 2025, involved a Node.js function with a base64-encoded payload that downloaded Python code to scan for credentials. Public repositories using the compromised action between March 12 and March 15, 2025, are at high risk of exposure, while private repositories are slightly less vulnerable. Detection and mitigation strategies include using tools like Falco and Sysdig Secure for runtime monitoring, rotating secrets in affected repositories, and implementing alternative actions to maintain pipeline functionality. This incident underscores the increasing threat of supply chain attacks in CI/CD environments and the importance of robust security measures and swift remediation to protect sensitive data.