Full Report
The threat actors initially attempted to compromise projects associated with the Coinbase cryptocurrency exchange, said Palo Alto Networks
Analysis Summary
# Incident Report: Supply Chain Compromise via Malicious GitHub Action (`tj-actions/changed-files`)
## Executive Summary
A sophisticated, multi-stage supply chain attack originated from the compromise of the `spotbugs` GitHub workflow in November 2024, culminating in the modification of the widely used `tj-actions/changed-files` action. The threat actor aimed to access Coinbase-linked projects but succeeded in poisoning the CI/CD secrets of 218 dependent repositories by leaking them into public build logs. The incident was detected in March 2025 by security researchers and was officially cataloged as CVE-2025-30066.
## Incident Details
- **Discovery Date:** March 14, 2025 (When researchers spotted the tampered source code.)
- **Incident Date:** Initial compromise occurred November 2024. Malicious payload deployed March 11, 2025.
- **Affected Organization:** Multiple open-source projects, including those relying on `tj-actions/changed-files`.
- **Sector:** Software Development / Open Source Ecosystem (Targeted cryptocurrency sector via Coinbase).
- **Geography:** Global due to reliance on GitHub Actions.
## Timeline of Events
### Initial Access
- **Date/Time:** November 2024
- **Vector:** Exploitation of a vulnerable GitHub Actions workflow within the **spotbugs** project.
- **Details:** Attacker gained unauthorized access to the spotbugs workflow.
### Lateral Movement
- **Date/Time:** December 6, 2024
- **Vector:** Exploitation of a vulnerable `pull_request_target` workflow via a malicious pull request from a disposable account.
- **Details:** Stole a maintainer's Personal Access Token (PAT).
- **Date/Time:** March 11, 2025
- **Vector:** Used the stolen PAT to add a dummy user to `spotbugs`, which then pushed a malicious workflow extracting a second PAT belonging to a `reviewdog` maintainer (RD\_MNTNR). This granted write access to **reviewdog/action-setup**.
- **Details:** Attacker poisoned the `v1` tag in `reviewdog/action-setup` to point to a malicious commit.
### Data Exfiltration/Impact
- **Date/Time:** March 11, 2025 (Deployment)
- **Vector:** Modification of `tj-actions/changed-files` (which depended on the poisoned `reviewdog` component) and overriding Git tags to redirect to a malicious commit.
- **Details:** The malicious action printed CI/CD secrets into GitHub Actions build logs for any repository executing it. The initial target was Coinbase's open-source agentkit project. **218 repositories** had their secrets exposed in logs.
### Detection & Response
- **Date/Time:** March 14, 2025
- **Vector:** Security researchers (StepSecurity) spotted the modified source code of `tj-actions/changed-files`.
- **Details:** Coinbase received notification and promptly removed the malicious workflow, thwarting the attempt to utilize their keys. The vulnerability was disclosed and tracked as CVE-2025-30066.
## Attack Methodology (Mapped to MITRE ATT&CK)
- **Initial Access:** Compromise of GitHub Actions workflow credentials (Spotbugs/reviewdog).
- **Persistence:** Overriding repository tags (`v1`) to point to a malicious commit, ensuring continued execution across dependent projects.
- **Privilege Escalation:** Used initial PAT to compromise a second repository maintainer's credentials (RD\_MNTNR's PAT).
- **Defense Evasion:** The mechanism relied on modifying legitimate, trusted upstream dependencies (`reviewdog/action-setup` redirected by tag override).
- **Credential Access:** Theft of Personal Access Tokens (PATs) via vulnerable workflow execution (`pull_request_target`).
- **Discovery:** The attacker leveraged existing access to move laterally between related repositories (`spotbugs` to `reviewdog`).
- **Lateral Movement:** Pivoting between compromised developer accounts/tokens across multiple related GitHub organizations.
- **Exfiltration:** **Log-based Exfiltration.** Secrets were printed into public CI/CD build logs; no evidence of remote network exfiltration was confirmed.
- **Impact:** Exposure of CI/CD secrets (keys, tokens) in 218 repositories.
## Impact Assessment
- **Financial:** Not explicitly stated, but significant incident response costs expected for remediating secret exposure across 218 projects.
- **Data Breach:** Exposure of CI/CD secrets (tokens, keys) across 218 repositories, narrowly missing Coinbase's sensitive environments.
- **Operational:** Disruption to CI/CD pipelines relying on the compromised action; need for secret rotation across all affected projects.
- **Reputational:** Significant negative impact on the trust placed in the open-source supply chain ecosystem.
## Indicators of Compromise
*Note: IPs/URLs are defanged based on provided information.*
- **Network indicators:** None explicitly detailed as exfiltration destination was not confirmed.
- **File indicators:** Malicious commit in `tj-actions/changed-files` (version tags retroactively updated).
- **Behavioral indicators:** Execution of GitHub Actions workflows that print secrets to publicly accessible build logs.
## Response Actions
- **Containment Measures:** Identified and removed the malicious commit/tag within `reviewdog/action-setup` and mitigated the dependency chain.
- **Eradication Steps:** Affected organizations were required to rotate all potentially compromised secrets/PATs exposed in the build logs.
- **Recovery Actions:** Advisories were published (MITRE, reviewdog maintainers); CISA added the CVE to the KEV catalog, prompting widespread patching.
## Lessons Learned
- **Supply Chain Trust:** Relying heavily on automated CI/CD systems requires rigorous vetting of upstream dependencies, even well-known open-source actions.
- **GitHub Actions Security:** The reliance on `pull_request_target` workflows proved highly dangerous when used with external contributor PRs, as it allowed execution with elevated permissions before code review.
- **Secret Visibility:** CI systems must be hardened to prevent the logging of sensitive secrets, even if developers assume logs are private (or when dependencies are compromised).
## Recommendations
- **Dependency Scanning:** Implement automated tooling to monitor dependencies for hijacked or maliciously modified tags/versions downstream.
- **Secret Management Hardening:** Review and restrict the permissions granted by Personal Access Tokens (PATs) used in CI/CD systems.
- **Workflow Restriction:** Limit the use of `pull_request_target` workflows, favoring configuration that runs only against trusted code or uses more constrained permissions.
- **Patching:** Immediately check if any internal projects utilized `tj-actions/changed-files` (v1) or the other compromised dependencies and rotate associated secrets.