A major supply chain attack has exposed sensitive CI/CD secrets in GitHub Action tj-actions/changed-files, known as CVE-2025-30066, across 218 repositories.
This incident has raised significant concerns about security and is connected to an earlier attack on the other GitHub Action, reviewdog/action-setup@v1, tracked as CVE-2025-30154.
While only 4% of the 5,416 repositories that were affected had secrets leaked, the damage is severe. Some of the repositories compromised have hundreds of thousands of stars and tens of thousands of forks, which all increase the risk of supply chain attacks.
https://signmycode.com/blog/github-supp ... epositorie