Access Token
Over 20,000 projects affected as Coinbase becomes the main target in a sophistic...
A sophisticated supply chain attack targeting the code-sharing platform [GitHub](https://www.secureblink.com/cyber-security-news/fake-po-c-repositories-and-malicious-code-on-git-hub). Researchers from Palo Alto Unit 42 and Wiz have unveiled a detailed investigation into a multi-phase breach involving [Coinbase](https://www.secureblink.com/cyber-security-news/coinbase-phishing-scam-exploits-trust-in-email-infrastructure-to-hijack-crypto-wallets) as a primary target.
### **Targeting GitHub Actions**
GitHub Actions, an automation tool commonly used for Continuous Integration and Continuous Deployment (CI/CD), became the focus of a large-scale, cascading supply chain attack earlier this month. Researchers have pinpointed that Coinbase, one of the largest cryptocurrency exchanges, was among the earliest victims despite claims of no significant damage to its assets.
The attack began when malicious code was stealthily injected into the widely-used GitHub Action known as `reviewdog/action-setup@v1`. This action is commonly utilized to automate processes like linting and code review during the development lifecycle. Though the specific method of how the breach occurred remains unclear, its ramifications were far-reaching.
### **A Carefully Orchestrated Infiltration**
The malicious code was introduced into `reviewdog/action-setup@v1` in such a way that whenever other GitHub Actions—such as `tj-actions/eslint-changed-files`—called this action, it would cause sensitive secrets and authentication tokens to be dumped into the GitHub Actions logs. For developers and organizations relying on these tools, this posed a severe risk, as those logs contained critical CI/CD secrets.
As the breach advanced, attackers used this method to steal a *Personal Access Token* (PAT) from an unsuspecting repository, which was then exploited to push a malicious commit to `tj-actions/changed-files`. This action was part of the malicious chain that targeted Coinbase specifically, along with a user account named *"mmvojwip"*, which was later identified as belonging to the attacker.
### **Targeted Commit and Token Theft**
The malicious commit was strategically crafted to target Coinbase’s highly sensitive projects, including `coinbase/agentkit`, a pivotal framework that facilitates interaction between AI agents and blockchain networks. Over 20,000 other projects used the same `tj-actions/changed-files` GitHub Action, increasing the scope of the potential damage. However, it was the timing and execution against Coinbase that highlighted the precision of the attack.
On 14 March 2025, just two hours before the main phase of the attack against `tj-actions/changed-files`, the attackers had successfully stolen a GitHub token with *write permissions* to the `coinbase/agentkit` repository. This token, a critical access point, could have enabled them to significantly alter the project.
### **Attack Neutralized**
Despite the alarming nature of the breach, Coinbase confirmed through discussions with Palo Alto’s Unit 42 that the attackers were ultimately unsuccessful in causing any tangible damage. The company issued a statement asserting that no assets or code from the `agentkit` project or any other Coinbase resource had been compromised.
_“We followed up by sharing more details of our findings with Coinbase, which stated that the attack was unsuccessful at causing any damage to the agentkit project, or any other Coinbase asset,”_ said Unit 42 in their report.
The swift action from CoinbaseCoinbase's swift action, coupled with an effective response to mitigate further damage, ensured that the potential for widespread disruption was contained.
While Coinbase’s prompt response helped limit the immediate impact, this attack underscores a growing concern over supply chain vulnerabilities in software development. With an increasing number of organizations relying on open-source GitHub Actions, a dependency chain like this presents a ripe opportunity for threat actors.
Palo Alto Unit 42 and Wiz’s analysis revealed that while Coinbase was the primary focus, the cascading nature of the attack means it could have been far more widespread. It’s critical for organizations to reevaluate their security protocols, ensuring that actions such as code review and continuous integration are secure, both in terms of the tools they use and the repositories they manage.
