The Tag That Moved
March 14, 2025. A widely-used GitHub Action is overnight rewritten so every tag, v1, v44, v45, points at one malicious commit. Every workflow that pinned by tag now exfiltrates its secrets to the build log.
Briefing
tj-actions/changed-files (CVE-2025-30066) was compromised on March 14, 2025. The attackers got a write-capable token, force-updated every release tag, v1 through v45, to point at a single commit they had pushed. That commit dumped the runner's process memory and base64-encoded any secrets it found into the build log. If a downstream attacker had read access to a public repo's Actions logs, they could pull credentials out of any project that pinned by tag instead of by commit SHA. Initial vector was an even earlier compromise of reviewdog/action-setup the week before. You have the archive of your CI logs from the week of the 14th. Walk it.
Your role
You're the security engineer auditing your org's CI runs after StepSecurity's writeup goes public. You have a few thousand workflow files to think about and one specific question to answer first.
Objective
Find every workflow in your org that uses tj-actions/changed-files by tag, and prove from the public build logs whether any of them ran with the malicious commit.
Terminal environment
- user
- auditor
- host
- ci-archive
- cwd
- /var/log/forge-ci
- steps
- 6
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.