Summary: A cascading supply chain attack originating from a security breach in the SpotBugs workflow put GitHub projects, including those belonging to Coinbase, at risk by exposing secrets in 218 repositories. The attack involved the theft of a Personal Access Token (PAT) that allowed the attacker to introduce malicious workflows into these projects. Despite failed attempts to access Coinbaseβs infrastructure, the incident underscores critical vulnerabilities in the GitHub Actions ecosystem and the need for improved security practices.
Affected: Coinbase, SpotBugs, Reviewdog, tj-actions
Keypoints :
- SpotBugs was breached in November 2024, leading to a chain of compromises affecting 218 repositories.
- The attack involved stealing a PAT through a malicious pull request, enabling further access to sensitive project actions.
- No Coinbase secrets were ultimately exposed, but the incident highlights severe trust issues within the open-source ecosystem and recommendations for improved security measures.