Coinbase Targeted in Massive GitHub Actions Supply Chain Attack

By /

Listen to this Post

A Sophisticated Attack on Coinbase and the Open-Source Community

A recent large-scale supply chain attack on GitHub Actions has been traced back to a campaign primarily targeting Coinbase, one of the leading cryptocurrency exchanges. The breach, which compromised secrets in hundreds of repositories, was discovered by security researchers at Palo Alto Networks’ Unit 42 and Wiz.

The attack was executed through a sophisticated chain of events, beginning with the injection of malicious code into the widely used GitHub Action, reviewdog/action-setup@v1. This modified action was designed to extract and leak CI/CD secrets and authentication tokens into GitHub workflow logs, allowing attackers to escalate their access.

The attackers leveraged another GitHub Action, tj-actions/eslint-changed-files, which unknowingly triggered the compromised reviewdog action. This resulted in sensitive secrets being exposed, including a Personal Access Token (PAT), which was then used to push a malicious commit to tj-actions/changed-files, another GitHub Action with a large user base.

Key Details of the Attack:

  • The primary target was Coinbase, particularly its coinbase/agentkit repository, a framework used for blockchain AI agents.
  • The attackers gained write access to the repository after obtaining a GitHub token with sufficient permissions.
  • The breach occurred on March 14, 2025, at 15:10 UTC, just two hours before the larger attack on tj-actions/changed-files.
  • While over 23,000 repositories utilized changed-files, only 218 repositories were ultimately affected.
  • Despite the attackers’ efforts, Coinbase reported no damage to its assets.

Though Coinbase claims the attack did not result in any actual harm, the campaign demonstrated how a single compromise in open-source dependencies can lead to widespread security breaches.

What Undercode Say:

The Risk of Cascading Supply Chain Attacks

This attack highlights the systemic risks of software supply chains, particularly in open-source ecosystems. When a single dependency is compromised, it can have far-reaching consequences across thousands of projects. The reliance on shared libraries and GitHub Actions makes modern development more efficient but also inherently vulnerable to such cascading attacks.

Targeted or Opportunistic?

While Coinbase was the initial focus, the attackers’ strategy suggests an opportunistic expansion once their primary target was unreachable. They quickly pivoted to affecting as many projects as possible through tj-actions/changed-files, potentially in an attempt to escalate their attack surface and find other valuable repositories.

Lessons for Developers and Organizations

  • Strictly control write access permissions: The attacker managed to obtain a GitHub token with write access to Coinbase’s repository. Organizations should minimize token privileges to reduce risk.
  • Monitor dependencies aggressively: The malicious code was introduced through an external GitHub Action, meaning teams using it unknowingly inherited the security flaw. Automated dependency security monitoring is crucial.
  • Enable logging and alerting: The breach was detected through workflow logs, showing how detailed logging can help identify security incidents in real-time.
  • Adopt Zero Trust principles: Assuming that any external dependency could be compromised is the best defense. Implement sandboxed environments for testing third-party actions before deployment.

Why Coinbase Was a Target

Cryptocurrency platforms are frequent targets for cybercriminals due to their high-value assets and financial data. Coinbase’s agentkit repository is used for blockchain AI agents, meaning any compromise could potentially be used for manipulating transactions, altering AI behavior, or gaining unauthorized access to blockchain-related systems.

GitHub’s Role in Preventing Future Attacks

GitHub needs to enhance security controls for Actions, including:
– Stricter validation of public actions to prevent malicious code injections.
– Real-time anomaly detection to identify suspicious behavior in workflows.
– Stronger secrets management to prevent tokens from being exposed in logs.

The breach serves as a wake-up call for developers and organizations relying on GitHub Actions. Supply chain attacks are increasingly sophisticated, and better security hygiene is the only way to mitigate their impact.

Fact Checker Results

  • Coinbase confirms no assets were compromised despite the attack.
  • The attack primarily affected open-source repositories, with only 218 directly impacted out of 23,000 potential targets.
  • GitHub has yet to publicly respond on any policy changes following the attack.

References:

Reported By: https://www.bleepingcomputer.com/news/security/coinbase-was-primary-target-of-recent-github-actions-breaches/
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: