Full Report
A cascading supply chain attack on GitHub that targeted Coinbase in March has now been traced back to a single token stolen from a SpotBugs workflow, which allowed a threat actor to compromise multiple GitHub projects. [...]
Analysis Summary
# Incident Report: GitHub Supply Chain Attack via Leaked SpotBugs Token
## Executive Summary
A highly organized supply chain attack targeted software dependencies managed through GitHub Actions, initiated by an attacker leveraging a stolen or leaked SpotBugs token. The attack involved poisoning a popular GitHub Action, `tj-actions/eslint-changed-files`, by overriding Git tags to inject malicious code designed to exfiltrate secrets from CI/CD runner logs. While the initial compromise aimed at a broad set of repositories, the specific payload successfully executed against Coinbase's 'agentkit' repository on March 14, 2025, but failed to expose any secrets.
## Incident Details
- **Discovery Date:** Not explicitly stated, but response began immediately after execution on March 14, 2025.
- **Incident Date:** Attack execution observed targeting Coinbase on March 14, 2025. The planning phase began months prior.
- **Affected Organization:** Coinbase (specific target) and potentially 218 other repositories using the compromised action.
- **Sector:** Software Development/Fintech
- **Geography:** Not disclosed, but related to GitHub ecosystem operations.
## Timeline of Events
### Initial Access
- **Date/Time:** Months prior to March 2025 (planning phase).
- **Vector:** Leaked or stolen credential/token (implied SpotBugs token relevance).
- **Details:** Attacker gained sufficient access to override Git tags in the target repository (`tj-actions/eslint-changed-files`).
### Lateral Movement
- **Details:** The successful compromise of the dependency repository allowed the attacker to effectively move into the CI/CD pipelines of consumers of the library by overriding standard Git tags (e.g., v1 tag being overridden) to point to a malicious commit.
### Data Exfiltration/Impact
- **Details:** The malicious commit was designed to dump secrets from CI runners into logs. While it impacted 218 repositories, the attempt to access Coinbase's infrastructure failed as no secrets were exposed.
### Detection & Response
- **Details:** The company (Coinbase) was "quickly tipped about the attempted breach" and immediately removed the compromised workflow from their systems.
- **Response actions taken:** Removal of the malicious workflow; subsequent investigations conducted.
## Attack Methodology
- **Initial Access:** Leveraging a token or compromised credentials to gain write access to a third-party GitHub repository.
- **Persistence:** N/A (Implied short-term persistence via tag manipulation).
- **Privilege Escalation:** N/A (Direct injection into the supply chain).
- **Defense Evasion:** Utilizing legitimate repository mechanisms (Git tag override) to inject malicious code that appeared as part of a legitimate dependency update process.
- **Credential Access:** The payload was explicitly designed to capture secrets dumped in CI logs.
- **Discovery:** N/A (This phase focused on exploitation rather than internal reconnaissance).
- **Lateral Movement:** Not traditional network movement, but movement through the software supply chain (dependency trust).
- **Collection:** Dump secrets from CI runner logs, potentially via printing them (e.g., base64 encoded blobs).
- **Exfiltration:** Implied exfiltration of collected secrets (not explicitly detailed how the log data was retrieved).
- **Impact:** Attempted compromise of secrets within CI/CD environments.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Attempted breach targeting secrets. Confirmed that secrets were *not* exposed for Coinbase. Potentially impacted logs of 218 repositories.
- **Operational:** Coinbase had to quickly remove the compromised workflow; minor operational disruption for affected consumers needing remediation.
- **Reputational:** Highlights vulnerabilities in the GitHub Actions ecosystem and open-source trust model, leading to negative exposure for the affected third-party action maintainer.
## Indicators of Compromise
- **Network indicators:** None explicitly listed (Defanged: N/A).
- **File indicators:** The malicious commit hash associated with the overridden Git tag.
- **Behavioral indicators:** CI/CD logs exhibiting unusual output, particularly logs containing base64-encoded blobs or plaintext secrets during the March 10-14, 2025 timeframe.
## Response Actions
- **Containment measures:** Coinbase immediately removed the compromised workflow upon being tipped off.
- **Eradication steps:** Not detailed, but implied verification that the malicious version was no longer being pulled down.
- **Recovery actions:** Auditing of relevant GitHub Actions logs (March 10-14, 2025) for signs of exfiltration.
## Lessons Learned
- The incident demonstrates that breaches can be highly organized and meticulously planned, starting months in advance.
- Fundamental problems exist in the chain of trust between open-source repositories and the GitHub Action ecosystem, specifically related to tag mutability and poor audit logging within actions.
- Relying on mutable references like Git tags for dependencies creates significant supply chain risk.
## Recommendations
- Projects and repositories that used the compromised actions should rotate all secrets immediately.
- Audit GitHub Actions logs, especially from March 10-14, 2025, for signs of secrets being printed (especially base64-encoded blobs).
- Pin dependencies using **commit hashes** instead of tags to prevent tag overriding attacks.
- Avoid using the `pull_request_target` workflow context unless absolutely necessary due to inherent security risks.