GitHub Supply Chain Attack Expands Beyond Coinbase in Widespread CI/CD Compromise

A sophisticated supply chain attack targeting the GitHub Action "tj-actions/changed-files" initially began as a focused assault on Coinbase’s open-source project agentkit before escalating into a broader campaign.

  Vulnerability Alerts   Mar 24, 2025  Add to Reading List
GitHub Supply Chain Attack Expands Beyond Coinbase in Widespread CI/CD Compromise

A sophisticated supply chain attack targeting the GitHub Action "tj-actions/changed-files" initially began as a focused assault on Coinbase’s open-source project agentkit before escalating into a broader campaign.

According to a report from Palo Alto Networks’ Unit 42, the attackers sought to exploit Coinbase’s CI/CD pipeline but were unable to access secrets or publish packages. The breach was discovered on March 14, 2025, revealing that "tj-actions/changed-files" had been compromised to exfiltrate sensitive secrets from affected repositories. This incident has been designated CVE-2025-30066 (CVSS score: 8.6).

Security firm Endor Labs estimates that 218 GitHub repositories leaked credentials, including access tokens for DockerHub, npm, AWS, and GitHub installs. However, most of the exposed credentials were short-lived GITHUB_TOKENs that expired upon workflow completion.

Further investigation uncovered that another GitHub Action, "reviewdog/action-setup", had been compromised first, enabling the attacker to obtain a Personal Access Token (PAT) associated with "tj-actions/changed-files". This attack vector, tracked as CVE-2025-30154 (CVSS score: 8.6), allowed malicious modifications to be pushed across all repositories dependent on the affected action.

Unit 42 researchers noted that the attacker used advanced evasion techniques, including dangling commits, temporary GitHub accounts, and obfuscation in workflow logs, particularly during the Coinbase breach. The attacker also leveraged fork pull requests to introduce malicious code.

GitHub has stated that there is no evidence of a platform-wide compromise, emphasizing the importance of reviewing third-party Actions before updating. Meanwhile, Coinbase has fully mitigated the attack as of March 19, 2025.

While the attacker’s ultimate objective remains uncertain, experts suspect financial motives, potentially involving cryptocurrency theft. The sudden shift from a targeted attack on Coinbase to a large-scale campaign may have been a reaction to Coinbase detecting and neutralizing the initial breach, prompting the attacker to act quickly before losing access.