Securing Your Supply Chain: How RAD Security Detects the tj-actions/changed-files Attack

In the wake of the recent tj-actions/changed-files GitHub Action supply chain attack (CVE-2025-30066), security teams worldwide scrambled to assess their exposure and implement protective measures. The sophisticated attack compromised a widely-used GitHub Action with over 23,000 repositories affected, highlighting the critical importance of robust supply chain security.

At RAD Security, we've built our platform specifically to detect and prevent these types of attacks. Here's how our comprehensive security suite protects organizations from the tj-actions/changed-files compromise and similar supply chain threats.

Understanding the tj-actions/changed-files Attack

On March 12, 2025, attackers compromised the popular tj-actions/changed-files GitHub Action. This action, which identifies file changes in pull requests and commits, is a core component in many CI/CD pipelines. The compromise allowed attackers to:

Exfiltrate sensitive repository data
Harvest credentials and tokens
Potentially inject malicious code into the software supply chain
Execute remote code on CI/CD runners

The widespread use of this action across thousands of repositories made this a particularly dangerous attack, with potentially far-reaching consequences.

RAD Security's Multi-Layered Detection Approach

1. Continuous Container Image Analysis

RAD Security continuously scans container images throughout your environment, providing immediate alerts when compromised components are detected. For the tj-actions/changed-files attack:

Our scanning engines detect suspicious code patterns injected by the compromised action
ChainGuard™ technology validates image provenance and identifies supply chain irregularities
Vulnerability correlation connects CVE-2025-30066 to affected images in your registry

# Sample detection output
IMAGE: github-runner:latest
FINDING: Supply Chain Compromise [CRITICAL]
DETAILS: Image contains GitHub Action tj-actions/changed-files@v41.0.1
(affected by CVE-2025-30066)

Securing Your Supply Chain: How RAD Security Detects the tj-actions/changed-files Attack

Understanding the tj-actions/changed-files Attack

RAD Security's Multi-Layered Detection Approach

1. Continuous Container Image Analysis

Related Articles

5 Essential Cyber Security Defenses to Protect the 2024 Presidential Election

Detect Reverse Shell and Sudo Privilege Escalation Exploit: Behavioral Versus Signature-Based Detection

Verified runtime fingerprints to eliminate zero day software supply chain attacks

2. Runtime Behavior Monitoring

3. Kubernetes Admission Controls

4. Advanced Threat Detection

Protection Beyond Detection

Real-World Customer Success

Recommended Actions

Secure Smarter. Defend Faster. That’s RAD.