{"id":2364,"date":"2025-03-17T20:22:36","date_gmt":"2025-03-17T20:22:36","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2364"},"modified":"2025-03-17T20:22:36","modified_gmt":"2025-03-17T20:22:36","slug":"thousands-of-open-source-projects-at-risk-from-hack-of-github-actions-tool","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2364","title":{"rendered":"Thousands of open source projects at risk from hack of GitHub Actions tool"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>App development teams who use a popular utility in the GitHub Actions continuous integration and continuous delivery\/deployment (CI\/CD) platform need to scrub their code because the tool was compromised last week to steal credentials.<\/p>\n<p>That warning came after researchers at StepSecurity found that all versions of the <a href=\"https:\/\/github.com\/tj-actions\/changed-files\">tj-actions\/changed-files<\/a> utility up to 45.0.7 had been modified by a threat actor on March 14. Normally this tool helps developers detect file changes in a repository, but<a href=\"https:\/\/github.com\/advisories\/GHSA-mrrh-fwg8-r2c3\"> a GitHub advisory<\/a> says the change executes a malicious Python script that allows remote attackers to discover secrets such as API keys, access tokens, and passwords by reading actions logs.<\/p>\n<p>The compromise <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-30066\">has been designated CVE-2025-30066<\/a>.<\/p>\n<p>According to a report from Endor Labs, the utility is used in over 23,000 GitHub repositories. The compromised action could impact thousands of CI pipelines, <a href=\"https:\/\/www.endorlabs.com\/learn\/github-action-tj-actions-changed-files-supply-chain-attack-what-you-need-to-know\">the report said.<\/a><\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>App development teams who use a popular utility in the GitHub Actions continuous integration and continuous delivery\/deployment (CI\/CD) platform need to scrub their code because the tool was compromised last week to steal credentials. That warning came after researchers at StepSecurity found that all versions of the tj-actions\/changed-files utility up to 45.0.7 had been modified [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2365,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2364","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2364"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2364"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2364\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2365"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}