App development teams who use a popular utility in the GitHub Actions continuous integration and continuous delivery/deployment (CI/CD) platform need to scrub their code because the tool was compromised last week to steal credentials.
That warning came after researchers at StepSecurity found that all versions of the tj-actions/changed-files utility up to 45.0.7 had been modified by a threat actor on March 14. Normally this tool helps developers detect file changes in a repository, but a GitHub advisory says the change executes a malicious Python script that allows remote attackers to discover secrets such as API keys, access tokens, and passwords by reading actions logs.
The compromise has been designated CVE-2025-30066.
According to a report from Endor Labs, the utility is used in over 23,000 GitHub repositories. The compromised action could impact thousands of CI pipelines, the report said.
