.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Informational
Advisory: GitHub Action tj-actions/changed-files Compromise (CVE-2025-30066)
CVE(S)
CVE-2025-30066
PRODUCT(S)
Cloud Optix
Sophos Endpoint
Sophos Central
Sophos Email
Sophos Firewall
Sophos Home
Sophos RED
Sophos UTM
Sophos Wireless
Sophos ZTNA
SophosLabs Intelix
Updated
2025 Mar 17
Article Version
1
First Published
2025 Mar 17
Publication ID
sophos-sa-20250317-tj-action-compromise
Workaround
No
Overview
On 14 March 2025, a security issue was reported in the tj-actions/changed-files GitHub Action, which identified that the Action’s code had been compromised by an external attacker.
The compromised code allowed the attacker to log CI/CD credentials from the Runner Worker process into the GitHub build logs. This could potentially lead to the exfiltration of sensitive credentials, particularly if the repository was public or if the attacker had access to the build logs.
Sophos has investigated the potential impact of the compromised Github Action and has found no evidence that any Sophos repositories or products were affected.
Related information
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.