Summary: A cascading supply chain attack initiated through the SpotBugs project has been linked to a theft of a personal access token (PAT), impacting users of the “tj-actions/changed-files” GitHub Action, including Coinbase. The attackers gained access via compromised GitHub Actions workflows, allowing them to manipulate repositories over several months. Investigations reveal a sophisticated series of events that highlights vulnerabilities in dependency management and access control within open-source projects.
Affected: Coinbase, SpotBugs, reviewdog
Keypoints :
- Attackers exploited a leaked PAT associated with SpotBugs to access reviewdog’s GitHub Action.
- The malicious activities suggest that the attack was premeditated, beginning as early as November 2024 and culminating in a focused strike on Coinbase in March 2025.
- Unauthorized write permissions were reportedly obtained through social engineering to invite a malicious account, enabling further attacks.
- The attack utilized GitHub Actions workflows that allowed access to secrets, enabling a poisoned pipeline execution attack.
- The SpotBugs maintainer has since revoked the compromised tokens and secured the project against further threats.
Source: https://thehackernews.com/2025/04/spotbugs-access-token-theft-identified.html
Views: 6
简体中文
Nederlands
Français
Bahasa Indonesia
日本語
Português