CybersecuritySupply Chain Attacks

Vulnerabilities in Third-Party Supply Chain: CVE-2025-30066 and CVE-2025-30154

Analyst 207|
Vulnerabilities in Third-Party Supply Chain: CVE-2025-30066 and CVE-2025-30154

Vulnerabilities in Third-Party Supply Chain: An Analysis of CVE-2025-30066 and CVE-2025-30154

Overview

The recent compromise of the popular GitHub Action, tj-actions/changed-files, has raised significant concerns regarding the security of third-party supply chains in software development. This incident, tracked as CVE-2025-30066, allows for the unauthorized disclosure of sensitive information, including access keys and personal access tokens. Compounding the issue, another GitHub Action, reviewdog/action-setup, was also compromised (CVE-2025-30154), potentially enabling the initial breach. This report delves into the implications of these vulnerabilities, the response from cybersecurity authorities, and the broader context of supply chain security in software development.

The Nature of the Compromise

At its core, the tj-actions/changed-files action is designed to identify changes in files during pull requests or commits. However, the compromise allowed attackers to access sensitive information stored within the GitHub Actions logs. This included:

  • Access Keys: These are critical for authenticating and authorizing access to various services.
  • GitHub Personal Access Tokens (PATs): These tokens grant permissions to interact with GitHub repositories and APIs.
  • npm Tokens: Used for authenticating with npm, these tokens can provide access to private packages.
  • Private RSA Keys: These keys are essential for secure communications and data encryption.

The vulnerability was patched in version 46.0.1 of the tj-actions/changed-files action, but the damage may have already been done for organizations that did not update promptly.

Timeline of Events

The timeline surrounding these vulnerabilities is crucial for understanding the scope of the issue:

  • March 11, 2025: The reviewdog/action-setup action was compromised, potentially enabling the tj-actions/changed-files breach.
  • March 12-15, 2025: The tj-actions/changed-files action was actively exploited, with malicious commits running during this period.
  • March 19, 2025: The vulnerabilities were publicly acknowledged, and updates were released.
  • March 26, 2025: CISA added both CVE-2025-30066 and CVE-2025-30154 to its Known Exploited Vulnerabilities Catalog, urging immediate action from affected organizations.

Impact on Organizations

The implications of these vulnerabilities are profound. Organizations utilizing the compromised GitHub Actions must take immediate steps to mitigate potential damage:

  • Audit Affected Repositories: Organizations should identify all projects using the tj-actions/changed-files action between the specified dates and the reviewdog/action-setup during its compromise window.
  • Identify Exposed Secrets: For public repositories, it is critical to check for any exposed access keys or tokens, which may be hidden as double-encoded base64 payloads.
  • Rotate Compromised Secrets: All identified secrets should be considered compromised and rotated immediately to prevent unauthorized access.
  • Update to Latest Versions: Organizations must ensure they are using the latest versions of the affected actions to close any security gaps.

Broader Context of Supply Chain Security

This incident highlights a growing concern in the software development community: the security of third-party components. As organizations increasingly rely on open-source software and third-party libraries, the risk of supply chain attacks has escalated. A few key points illustrate this trend:

  • Increased Dependency: Modern software development often involves numerous dependencies, making it challenging to track vulnerabilities across all components.
  • Historical Precedents: Previous incidents, such as the SolarWinds attack, have demonstrated the potential for widespread damage stemming from supply chain vulnerabilities.
  • Regulatory Scrutiny: Governments and regulatory bodies are beginning to impose stricter requirements on software supply chain security, pushing organizations to adopt more robust security practices.

Recommendations for Organizations

In light of these vulnerabilities, organizations should consider implementing the following strategies to enhance their supply chain security:

  • Conduct Regular Security Audits: Regularly review and audit third-party components to identify and address vulnerabilities proactively.
  • Implement Dependency Management Tools: Utilize tools that can automatically monitor and update dependencies, ensuring that organizations are using secure versions.
  • Educate Development Teams: Provide training on secure coding practices and the importance of supply chain security to all team members.
  • Establish Incident Response Plans: Develop and maintain incident response plans to quickly address any security breaches that may occur.

Conclusion

The compromise of tj-actions/changed-files and reviewdog/action-setup serves as a stark reminder of the vulnerabilities inherent in third-party supply chains. As organizations continue to navigate the complexities of modern software development, prioritizing supply chain security will be essential to safeguarding sensitive information and maintaining trust in software ecosystems. By taking proactive measures and fostering a culture of security awareness, organizations can better protect themselves against future threats.

Cyber Security
Related Intelligence

Continue Reading

Moderator's workspace with laptop and blurred screen in a community gathering place.

Community Forum Moderation Evolves Amid Security Landscape

Join the conversation, but first, a friendly reminder: let's keep it civil and respectful in Bunker Talk, even when politics heat up - no name-calling, no personal attacks, and stick to the facts. By following these simple rules, we're building the best commenting crew on the net.

Analyst 207
MacBook on a desk with a softly lit modern workspace background and coding elements on the screen.

MacOS Update Exposes New Artifact for Tracing Digital Intent

The latest macOS update has introduced a game-changing digital trail: the App.MenuItem stream, which meticulously logs every menu selection you make, complete with exact timestamps. This new artifact reveals a detailed narrative of your interactions with the operating system interface.

Analyst 207
Young adults in casual professional attire seated in a modern conference room with technology equipment.

CyberCorps Bolsters AI Focus as Funding Lags

Meet the game-changing CyberCorps Scholarship Program, which has successfully launched nearly 5,000 cybersecurity pros into federal roles over the past 25 years. By offering full scholarships and stipends, it empowers students to serve the nation in exchange for a commitment to work in federal cybersecurity.

Analyst 207
Rows of computer servers and networking equipment in a brightly-lit server room.

phpBB Fixes Decade-Old Auth Bypass Bug

A major vulnerability in phpBB has been uncovered, allowing attackers to bypass authentication and log in as any user, including administrators, with ease and no special knowledge required. This decade-old bug, exploitable in default configurations, has been patched - but only after researchers took steps to privately disclose the issue to prevent widespread exploitation.

Analyst 207