Full Report
The cascading supply chain attack that initially targeted Coinbase before becoming more widespread to single out users of the "tj-actions/changed-files" GitHub Action has been traced further back to the theft of a personal access token (PAT) related to SpotBugs. "The attackers obtained initial access by taking advantage of the GitHub Actions workflow of SpotBugs, a popular open-source tool for
Analysis Summary
# Incident Report: Cascading GitHub Actions Supply Chain Attack
## Executive Summary
A sophisticated cascading supply chain attack originated by exploiting a leaked Personal Access Token (PAT) belonging to a SpotBugs maintainer, dating back to November 2024. This initial compromise allowed attackers to inject malicious code into the `reviewdog/action-setup` GitHub Action via dependency poisoning, ultimately enabling a targeted attack against Coinbase in March 2025. The incident highlights severe risks associated with PAT usage in CI/CD workflows and the vulnerabilities inherent in software supply chains.
## Incident Details
- **Discovery Date:** Investigation began with the compromise of `reviewdog/action-setup`, but the initial token leak was identified around November/December 2024.
- **Incident Date:** Malicious activity began as early as November 2024; the high-profile Coinbase attack occurred in March 2025.
- **Affected Organization:** Coinbase (high-profile target); SpotBugs and Reviewdog open-source projects were leveraged/compromised.
- **Sector:** Software/Technology, Open Source Supply Chain.
- **Geography:** Not explicitly disclosed, but related to global open-source projects.
## Timeline of Events
### Initial Access
- **Date/Time:** 2024-11-28T09:45:13 UTC
- **Vector:** Poisoned Pipeline Execution (PPE) vulnerability exploitation via a malicious Pull Request on a dependent repository.
- **Details:** A SpotBugs maintainer modified a workflow in `spotbugs/sonar-findbugs` to use their personal PAT to resolve CI/CD issues. An attacker subsequently submitted a malicious pull request to this repository that exploited the `pull_request_target` trigger, causing the workflow to execute and leak the maintainer's PAT.
### Lateral Movement
- **Date/Time:** Between late 2024 and March 2025.
- **Vector:** Abuse of the leaked PAT.
- **Details:** The leaked PAT granted access to **SpotBugs** repositories. Attackers used this access to invite a disposable user ("jurkaofavak") to the `spotbugs/spotbugs` repository. The PAT was subsequently used to compromise **reviewdog/action-setup**. The final stage involved poisoning the popular `tj-actions/changed-files` action by leveraging the compromised `reviewdog/action-setup` dependency.
### Data Exfiltration/Impact
- **Date/Time:** Targeting escalated toward March 2025 (e.g., Coinbase attack).
- **Vector:** Exploitation of compromised GitHub Actions dependencies.
- **Details:** The ultimate goal was to strike high-value targets like Coinbase. The method of impact involved compromising the execution environment of projects relying on the poisoned actions. The attackers ultimately printed secrets to logs, revealing their attack path.
### Detection & Response
- **Date/Time:** Investigation began after knowledge that `reviewdog/action-setup` was compromised.
- **Vector:** Analysis by Palo Alto Networks Unit 42.
- **Details:** Unit 42's investigation uncovered the dependency chain leading back to the SpotBugs PAT leak. The maintainer rotated all associated tokens and PATs.
## Attack Methodology
| MITRE Step | Method Used |
| :--- | :--- |
| **Initial Access** | Poisoned Pipeline Execution (PPE) via `pull_request_target` trigger on a workflow using a PAT. |
| **Persistence** | Unspecified, possibly maintaining access via the compromised PAT until rotated. |
| **Privilege Escalation** | Used the leaked PAT to gain write permissions/membership in the `spotbugs/spotbugs` repository under the user "jurkaofavak." |
| **Defense Evasion** | Unknown, but the multi-stage dependency chain may have obscured the initial point of compromise for some time. |
| **Credential Access** | Leaked Personal Access Token (PAT) belonging to the SpotBugs maintainer. |
| **Discovery** | Suspected monitoring of projects dependent on the compromised actions (`tj-actions/changed-files`). |
| **Lateral Movement** | Moving between SpotBugs repositories; then poisoning the dependency chain involving `reviewdog/action-setup` and `tj-actions/changed-files`. |
| **Collection** | Targeting secrets/environment variables available during the compromised workflow execution (e.g., against Coinbase). |
| **Exfiltration** | Not detailed, but targeting secrets confirms intent for exfiltration or system compromise. |
| **Impact** | Utilizing the poisoned supply chain to compromise downstream users like Coinbase. |
## Impact Assessment
- **Financial:** Not disclosed, but assumed significant given the high-profile nature of the successful attack against Coinbase.
- **Data Breach:** Specifics on data compromised during the Coinbase incident are not detailed, but the attack vector implies access to repository secrets or sensitive data processed by the CI/CD pipelines.
- **Operational:** Disruption and compromise of multiple open-source software projects through dependency poisoning.
- **Reputational:** Significant damage to trust in open-source ecosystem security, particularly GitHub Actions workflows.
## Indicators of Compromise
- **Network Indicators:** None provided (defanged requirement applied).
- **File Indicators:** Rogue version of `"reviewdog/action-setup"`; Malicious workflow files in `spotbugs/spotbugs`.
- **Behavioral Indicators:** A user ("jurkaofavak") invited to contribute to a repository shortly after token exposure; Execution of workflows via `pull_request_target` trigger against repositories used by CI/CD secrets.
## Response Actions
- **Containment:** The SpotBugs maintainer rotated all associated Personal Access Tokens (PATs) and secrets to revoke attacker access.
- **Eradication:** Removing the malicious commits and revoking invitations associated with the attacker's account ("jurkaofavak").
- **Recovery:** Reverting the compromised dependency (`reviewdog/action-setup`), although the full extent of cleanup across dependent projects is complex.
## Lessons Learned
- **PAT Risk:** Using Personal Access Tokens in CI/CD workflows, especially those exposed via triggers like `pull_request_target`, creates critical supply chain risks if leaked.
- **Dependency Chaining:** Attacks can be highly effective by chaining compromises across multiple layers of the software supply chain (e.g., one maintainer's PAT leading to two projects, which then impacts a third, major user).
- **Attack Latency:** Attackers invested months (November to March) monitoring the compromised credentials, waiting for a high-value target (Coinbase) to utilize the poisoned component.
## Recommendations
- Limit the scope and lifetime of all PATs used in GitHub Actions workflows to the minimum necessary permissions.
- Favor **GitHub Tokens** over PATs for workflow-to-workflow communication where possible, configured with appropriate repository/organization scoping.
- Implement strict review processes for permissions granted to external contributors, especially regarding CI/CD system access.
- Audit CI/CD configurations to strictly avoid using the `pull_request_target` trigger if secrets are leveraged, or modify workflows to use `pull_request` triggers when handling contributions from external forks.