Summary: A targeted supply chain attack involving the GitHub Action “tj-actions/changed-files” was first directed at Coinbase’s open-source projects but escalated into a wider attack compromising 218 repositories. The attacker was able to exploit the CI/CD process, manage tokens, and introduce malicious code without initially triggering significant alarms. Security firms have tracked related vulnerabilities, specifically CVE-2025-30066 and CVE-2025-30154, linked to the attack’s methods and impacts.
Affected: GitHub Actions, Coinbase, 218 GitHub repositories
Keypoints :
- The initial attack targeted Coinbase but later expanded, compromising 218 repositories and exposing sensitive secrets.
- Malicious code was injected through the compromised “tj-actions/changed-files,” which was reliant on the similarly compromised “reviewdog/action-setup.”
- The attacker leveraged various evasion techniques, such as using dangling commits and anonymous accounts, to hide their actions on GitHub.
- Unit 42 indicated that the motivation might have been financial, particularly cryptocurrency theft, following Coinbase’s mitigation of the initial attack.
Source: https://thehackernews.com/2025/03/github-supply-chain-breach-coinbase.html