Full Report
The supply chain attack involving the GitHub Action "tj-actions/changed-files" started as a highly-targeted attack against one of Coinbase's open-source projects, before evolving into something more widespread in scope. "The payload was focused on exploiting the public CI/CD flow of one of their open source projects – agentkit, probably with the purpose of leveraging it for further compromises,"
Analysis Summary
# Incident Report: GitHub Actions Supply Chain Compromise (tj-actions/changed-files)
## Executive Summary
A sophisticated, multi-stage supply chain attack compromised two popular GitHub Actions, `tj-actions/changed-files` (CVE-2025-30066) and its dependency `reviewdog/action-setup` (CVE-2025-30154). The attackers initially targeted Coinbase's open-source project but expanded the scope, leading to the leakage of secrets (primarily DockerHub, npm, and AWS credentials) from 218 dependent repositories. The incident was discovered on March 14, 2025, and successfully remediated by Coinbase by March 19, 2025.
## Incident Details
- **Discovery Date:** March 14, 2025
- **Incident Date:** Began prior to discovery, with widespread impact observed by March 14, 2025.
- **Affected Organization:** Multiple organizations using the compromised GitHub Actions; Coinbase was an initial, specific target.
- **Sector:** Technology / Open Source Software Development
- **Geography:** Global (due to nature of GitHub)
## Timeline of Events
### Initial Access (Chain of Compromise)
- **Date/Time:** Prior to March 14, 2025
- **Vector:** Compromise of the dependency `reviewdog/action-setup` via a vulnerability believed to involve a modified fork pull request ("dangling commit").
- **Details:** An attacker obtained a Personal Access Token (PAT) associated with the `tj-actions/changed-files` repository maintainer account (`tj-bot-actions`), likely by exploiting the `reviewdog/action-setup` dependency vulnerability (CVE-2025-30154). This PAT allowed the attacker to gain write access to `tj-actions/changed-files`.
### Lateral Movement
- **Date/Time:** Pre-March 14, 2025 (Initial Coinbase targeting)
- **Vector:** Exploitation of CI/CD pipeline through the compromised action.
- **Details:** The attacker modified `tj-actions/changed-files` to include a malicious payload. When executed in a repository, this payload could steal secrets. The attacker specifically targeted Coinbase's `agentkit` project, modifying its `changelog.yml` via another fork pull request to point to the malicious action version, intending to steal Coinbase secrets using an execution-specific payload.
### Data Exfiltration/Impact
- **Date/Time:** March 14, 2025 (Widespread disclosure)
- **Vector:** Execution of the compromised `tj-actions/changed-files` workflow.
- **Details:** The widely deployed malicious version of `tj-actions/changed-files` leaked secrets from 218 dependent repositories. Leaked data primarily consisted of short-lived `GITHUB_TOKEN`s, but also included credentials for DockerHub, npm, and AWS. The initial targeted attack against Coinbase failed to exfiltrate their secrets.
### Detection & Response
- **Date/Time:** March 14, 2025 (Discovery) through March 19, 2025 (Coinbase remediation).
- **Details:** The scope of the attack was unveiled by security researchers (Palo Alto Networks Unit 42, Endor Labs). Coinbase was able to detect and mitigate the specific compromise targeting their repository environment by March 19, 2025.
## Attack Methodology (Inferred via CVEs/Description)
- **Initial Access:** Compromise of upstream dependency (`reviewdog/action-setup`) to steal a PAT belonging to the `tj-actions/changed-files` maintainer account.
- **Persistence:** Modifying the published version of the trusted `tj-actions/changed-files` action to include malicious code executed during standard CI/CD runs.
- **Privilege Escalation:** Likely escalated privileges on the `tj-actions/changed-files` repository via the stolen PAT, allowing write access to the popular action.
- **Defense Evasion:** Used multiple temporary GitHub accounts, obscured activities using "dangling commits" (fork PRs), and employed different payloads for targeted vs. widespread attacks to remain stealthy.
- **Credential Access:** Dumping environment variables/runner memory during workflow execution to retrieve secrets.
- **Discovery:** Initial reconnaissance likely targeted high-value organizations (e.g., Coinbase). Later stage involved broad secret-dumping across all dependents.
- **Lateral Movement:** N/A (Attack was lateral movement within the software supply chain/dependency tree, not network movement).
- **Collection:** Targeted collection of secrets stored as environment variables, including tokens for DockerHub, npm, and AWS, and GitHub install access tokens.
- **Exfiltration:** Implied exfiltration of collected secrets through the compromised workflow execution channels.
- **Impact:** Exposure of sensitive credentials across numerous software development pipelines.
## Impact Assessment
- **Financial:** Not quantified, but substantial potential risk given the exposure of cloud and package registry credentials.
- **Data Breach:** Exposure of secrets/credentials (DockerHub, npm, AWS access tokens) in 218 repositories. Most were short-lived `GITHUB_TOKEN`s.
- **Operational:** CI/CD pipelines of dependent repositories were poisoned, forcing immediate security audits and remediation across the ecosystem.
- **Reputational:** Negative impact on the security posture of the involved open-source projects and their users.
## Indicators of Compromise
*Note: Specific IOCs from the article were obfuscated or related to temporary accounts, but the primary indicators relate to the compromised Actions.*
- **Network indicators:** N/A (Direct compromise of repository metadata/code)
- **File indicators:** Malicious commits altering configuration files or workflow definitions within the compromised actions.
- **Behavioral indicators:** Workflows executing unexpected shell commands inside CI/CD runners designed to echo environment variables/secrets to the logs.
## Response Actions
- **Containment measures:** Affected users were advised to review and invalidate any leaked tokens/credentials immediately. Remediation of the repository settings related to the compromised GitHub Actions.
- **Eradication steps:** The malicious code was removed from both `tj-actions/changed-files` and the dependency `reviewdog/action-setup`.
- **Recovery actions:** Coinbase remediated their specific exposure by March 19, 2025. Other impacted projects were urged to audit and cycle secrets.
## Lessons Learned
- **Skillful Attacker:** The attacker demonstrated high skill, deep knowledge of CI/CD security, and evasion tactics (e.g., dangling commits, disposable emails).
- **Dependency Risk is High:** A vulnerability in a deeply nested dependency (`reviewdog/action-setup`) enabled the compromise of a highly used, upstream action (`tj-actions/changed-files`).
- **Payload Diversification:** The attacker used different obfuscation and execution payloads for targeted (Coinbase) versus widespread attacks, suggesting calculated risk management.
- **Limited Blast Radius Confirmation:** While initially alarming (tens of thousands of dependents), the actual impact was confined to 218 repositories, mainly exposing short-lived tokens.
## Recommendations
- Users must rigorously review all third-party code, especially GitHub Actions, before updating or running workflows.
- Implement strong secrets management policies: limit token lifespans and adhere strictly to the principle of least privilege for CI/CD runner tokens.
- GitHub should continue reviewing user accounts and acceptable use policies related to suspicious maintenance activity (e.g., utilizing disposable emails for core account maintenance).