https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack
Security researchers have traced the sophisticated supply chain attack that targeted Coinbase in March 2025 back to its origin point: the theft of a personal access token (PAT) associated with the popular open-source static analysis tool SpotBugs.
Palo Alto Networks Unit 42 revealed in their latest update that while the attack against cryptocurrency exchange Coinbase occurred in March 2025, evidence suggests the malicious activity began as early as November 2024, demonstrating the attackers’ patience and methodical approach.
“The attackers obtained initial access by taking advantage of the GitHub Actions workflow of SpotBugs,” Unit 42 explained. This initial compromise allowed the threat actors to move laterally between repositories until gaining access to reviewdog, another open-source project that became a crucial link in the attack chain.
Investigators determined that the SpotBugs maintainer was also an active contributor to the reviewdog project. When the attackers stole this maintainer’s PAT, they gained the ability to push malicious code to both repositories.
The breach sequence began when attackers pushed a malicious GitHub Actions workflow file to the “spotbugs/spotbugs” repository using a disposable account named “jurkaofavak.” Even more concerning, this account had been invited to join the repository by one of the project maintainers on March 11, 2025 – suggesting the attackers had already compromised administrative access.
Unit 42 revealed the attackers exploited a vulnerability in the repository’s CI/CD process. On November 28, 2024, the SpotBugs maintainer modified a workflow in the “spotbugs/sonar-findbugs” repository to use their personal access token while troubleshooting technical difficulties. About a week later, attackers submitted a malicious pull request that exploited a GitHub Actions feature called “pull_request_target,” which allows workflows from forks to access secrets like the maintainer’s PAT.
This compromise initiated what security experts call a “poisoned pipeline execution attack” (PPE). The stolen credentials were later used to compromise the reviewdog project, which in turn affected “tj-actions/changed-files” – a GitHub Action used by numerous organizations including Coinbase.
One puzzling aspect of the attack is the three-month delay between the initial token theft and the Coinbase breach. Security researchers speculate the attackers were carefully monitoring high-value targets that depended on the compromised components before launching their attack.
The SpotBugs maintainer has since confirmed the stolen PAT was the same token later used to invite the malicious account to the repository. All tokens have now been rotated to prevent further unauthorized access.
Security experts remain puzzled by one aspect of the attack: “Having invested months of effort and after achieving so much, why did the attackers print the secrets to logs, and in doing so, also reveal their attack?” Unit 42 researchers noted, suggesting there may be more to this sophisticated operation than currently understood.