GitHub Actions Supply Chain Attack: tj-actions & reviewdog

Hunters Team AXON has released a toolkit to help security teams identify secrets compromised by CVE-2025-30066 & CVE-2025-30154. This toolkit is designed for both incident response and proactive verification of repositories. The tools include a Secret Scanner and a Log Fetching Script, which are essential for analyzing GitHub Actions logs and identifying signs of exfiltrated secrets.

Tools and Resources:

1. Secret Scanner: A Python tool that analyzes GitHub Actions logs for signs of exfiltrated secrets using double Base64 decoding.

– GitHub Repository: cve_2025_30066_scanner.py

2. Log Fetching Script:

• Linux/macOS: linux_fetch_github_workflow_logs.sh
• Windows: windows_fetch_github_workflow_logs.ps1

You Should Know:

To effectively use these tools, follow these steps:

1. Install Python and Required Libraries:

sudo apt-get update
sudo apt-get install python3 python3-pip
pip3 install requests base64

2. Clone the Rapid Response Repository:

git clone https://github.com/axon-git/rapid-response.git
cd rapid-response/GitHub\ Actions\ Supply\ Chain\ -\ tj-actions_reviewdog/

3. Run the Secret Scanner:

python3 cve_2025_30066_scanner.py --logfile <path_to_logfile>

4. Fetch GitHub Actions Logs on Linux/macOS:

chmod +x linux_fetch_github_workflow_logs.sh
./linux_fetch_github_workflow_logs.sh --token <github_token> --repo <repository_name>

5. Fetch GitHub Actions Logs on Windows:

.\windows_fetch_github_workflow_logs.ps1 -Token <github_token> -Repo <repository_name>

6. Analyze the Logs:

• Use the Secret Scanner to identify any exfiltrated secrets.
• Look for patterns such as double Base64 encoded strings.

7. Mitigation Steps:

• Rotate any compromised secrets immediately.
• Review and update GitHub Actions workflows to prevent future attacks.

What Undercode Say:

The GitHub Actions Supply Chain Attack is a critical threat that requires immediate attention. The tools provided by Hunters Team AXON are invaluable for identifying and mitigating the risks associated with CVE-2025-30066 & CVE-2025-30154. By following the steps outlined above, security teams can effectively analyze their GitHub Actions logs and take necessary actions to secure their repositories.

Expected Output:

• Secret Scanner Output:

  [INFO] Scanning logfile: <path_to_logfile>
  [WARNING] Potential secret found: <secret>
  [INFO] Scan complete. Total secrets found: <count>
  

• Log Fetching Script Output:

  [INFO] Fetching logs for repository: <repository_name>
  [INFO] Logs saved to: <output_directory>
  

• Mitigation Steps:

  [ACTION] Rotate compromised secrets.
  [ACTION] Update GitHub Actions workflows.
  

By leveraging these tools and following the outlined steps, security teams can significantly enhance their defenses against supply chain attacks.

References:

Reported By: Tomer Kachlon – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram