GitHub Actions Incident Flaw Added to CISA Catalogue

share
Header image

GitHub Actions Incident Flaw Added to CISA Catalogue

share

Agency says there is a risk of recurrence.

CISA has added the GitHub Action compromise from last weekend to its Known Exploited Vulnerabilities (KEV) catalogue.

Saying there is a risk of recurrence, the advisory said the tj-actions/changed-files GitHub Action contains an embedded malicious code vulnerability that allows a remote attacker to discover secrets by reading actions logs. “These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys.”

The vulnerability is tracked as CVE-2025-30066. Commenting, Ev Kontsevoy, CEO of Teleport, said: “This is a clear example of how relying on static credentials for access control creates vulnerabilities, making it easier for threat actors to exploit identity or open-source vectors in supply chain attacks to expose secrets.”

In the incident, the attackers injected malicious code into the GitHub Action, allowing it to dump memory from CI/CD runners. This resulted in workflow secrets being exposed in logs, though there is no confirmed evidence of external exfiltration. 

Kontsevoy said when secrets are used to govern human or machine access, they inevitably become vulnerabilities in infrastructure running at scale.

“Companies can transform their security model for infrastructure environments with consolidated, cryptographic identities for humans, hardware and software,” Kontsevoy said.

“In this model, all authorisation is based on tasks, conforms to the principle of least privileged access, and is ephemeral, expiring when the task is completed. Static credentials such as passwords, keys, and tokens are eliminated and identities cannot be stolen or harvested, protecting companies from this type of attack.”

Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Vulnerabilities and Flaws Published: 19 March Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Upcoming Events

No events found.

Related content

Claude Mythos: What CISOs Should Know

Claude Mythos: What CISOs Should Know

 Iran and the New CNI Threat

Iran and the New CNI Threat

 Vulnerability Management and the AI Challenge

Vulnerability Management and the AI Challenge
Identity-Based Attacks: The Threat and How to Mitigate It

Identity-Based Attacks: The Threat and How to Mitigate It

 Report: UK cyberattacks grow faster than global rate

Report: UK cyberattacks grow faster than global rate

 Novel CyberStrikeAI tool exploited in attacks

Novel CyberStrikeAI tool exploited in attacks
Industry urges reform to retain women in tech

Industry urges reform to retain women in tech