Security Notice: GitHub Actions supply chain attack targeting Cloud.gov customers

Update timeline

1. identified Mar 17, 2025, 05:36 PM UTC

   The Cloud.gov customer security and operations team discovered today that malicious actors are leveraging the tj-actions/changed-files supply chain attack against Cloud.gov customers. See CVE-2025-30066: https://www.cve.org/CVERecord?id=CVE-2025-30066 What you need to do: If you use GitHub Actions for CI/CD and use the action "tj-actions/changed-files", you should consider your service potentially compromised. Search your GitHub account for occurrences of the compromised action with a search like this (substitute your organization name for {MY_GITHUB_ORG}): https://github.com/search?q=org%3A{MY_GITHUB_ORG}+uses%3A+tj-actions%2Fchanged-files%40v+language%3AYAML+path%3A.github%2F&type=code If you are using this action, and have had any deployments between March 14 and March 15, 2025, consider your service compromised. We recommend these initial response steps: - Declare an incident using your internal incident response process - Freeze your GitHub Actions pipelines - Rotate service-account credentials (Cloud.gov will be providing more guidance later today) - Check for any other potential malicious code additions/deployments that may have been added with accounts that had potentially leaked credentials - Notify the Cloud.gov incident team by emailing us your findings to [email protected] We will be releasing updates with indicators of compromise (IOC) and further remediation steps. Notes: - You would be vulnerable even if your GitHub organization or code repository is private - The Cloud.gov platform itself is not impacted - This only applies to Cloud.gov customers using GitHub Actions AND the impacted action. We are conducting an audit of potential attacks, but Cloud.gov customer development teams should conduct their own code audit. If you require assistance on your investigation, please also email [email protected] and request help.

2. monitoring Mar 17, 2025, 11:36 PM UTC

   We've updated the original notification with the relevant CVE: https://www.cve.org/CVERecord?id=CVE-2025-30066 Since Cloud.gov has strong tenant isolation, the confirmed compromised customer did NOT impact any other Cloud.gov customers. We are providing this notification and updates in the interests of our customers. INDICATORS OF COMPROMISE At this time it appears the attacker used the compromised GitHub Action to obtain service account credentials (https://cloud.gov/docs/services/cloud-gov-service-account/), used those credentials to login to Cloud.gov, then used the `cf env` command to view sensitive application variables to enable further movement. If you used the compromised Github Action, assess all your applications with the command cf events APP_NAME If you see entries like the following with the actor [email protected], and the event is not part of a deploy, then it's likely a malicious actor has obtained your application's credentials: SAMPLE EVENT time event actor description 2025-03-17T09:08:49.00-0400 audit.app.environment_variables.show [email protected] Regardless of whether there are indicators of compromise or not, if you used the compromise Github Action, you should rotate service account credentials per our documentation: https://cloud.gov/docs/services/cloud-gov-service-account/#rotating-credentials You should also review GitHub Actions logs for the recent executions of the Action and see if it has leaked secrets. See "Review GitHub Actions Workflow Run Logs" at https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

3. resolved Mar 18, 2025, 03:45 PM UTC

   We are closing this incident since we have no further updates. It is a customer responsibility to determine if they were impacted by this vulnerability, but please reach out to Cloud.gov support if you need any assistance in doing so.