Introduction
A recent supply chain attack targeting the GitHub Action "tj-actions/changed-files" initially focused on one of Coinbase's open-source projects before expanding in scope. This incident highlights the growing vulnerabilities within software supply chains and the importance of securing public CI/CD workflows.
The Initial Attack on Coinbase
The attack was first identified as an attempt to exploit the public CI/CD flow of Coinbase’s open-source project, Agentkit. While the attacker failed to access Coinbase's secrets or publish unauthorized packages, the event underscored the risks associated with automated workflows. According to Palo Alto Networks' Unit 42, the attacker’s primary aim was likely to leverage the repository for broader compromises.
On March 14, 2025, it was discovered that "tj-actions/changed-files" had been compromised. The attack introduced a malicious payload that extracted sensitive information from repositories executing the workflow. This security breach has been assigned CVE-2025-30066, with a CVSS score of 8.6.
Widespread Impact and Exposure of Credentials
Endor Labs estimates that 218 GitHub repositories exposed their secrets due to the attack. The leaked credentials included authentication tokens for DockerHub, npm, and Amazon Web Services (AWS), as well as GitHub installation access tokens. Although the scale of the attack initially appeared alarming, a detailed analysis revealed that many of the leaked credentials were short-lived GitHub tokens that expired upon workflow completion.
Security researcher Henrik Plate emphasized that while the attack affected numerous repositories, its actual impact was mitigated by the short-lived nature of many compromised credentials.
The Expanding Attack on GitHub Actions
Further investigation revealed that the breach extended beyond "tj-actions/changed-files" to another GitHub Action, "reviewdog/action-setup." This repository, a dependency of "tj-actions/eslint-changed-files," was compromised before the "tj-actions" incident. The breach of "reviewdog/action-setup" was assigned CVE-2025-30154, also with a CVSS score of 8.6.
The exploitation of CVE-2025-30154 allowed the attacker to obtain a Personal Access Token (PAT) associated with "tj-actions/changed-files." This enabled unauthorized modifications to the repository, affecting every GitHub repository dependent on the action.
When "tj-actions/eslint-changed-files" was executed, secrets stored within the CI runner were leaked. These credentials included a PAT belonging to the "tj-bot-actions" GitHub user account. Researchers from Unit 42 suggested that the attacker may have acquired a token with write access to the "reviewdog" organization, although the exact method remains unknown.
Attack Techniques and Concealment Strategies
The attacker employed sophisticated evasion techniques, including:
Dangling Commits: By forking repositories, making changes, and submitting pull requests, the attacker introduced arbitrary commits while obscuring their tracks.
Multiple Temporary Accounts: The attacker used disposable GitHub accounts, such as "iLrmKCu86tjwp8," which was later hidden from public view.
Workflow Log Obfuscation: Activities within workflow logs were manipulated to avoid detection.
Senior Research Manager at Palo Alto Networks, Gil, noted that the attacker demonstrated an advanced understanding of CI/CD security and threat tactics. GitHub has since been reviewing the situation but has not confirmed whether a broader platform compromise occurred.
Further Investigations and Broader Implications
A deeper search into GitHub forks of "tj-actions/changed-files" uncovered additional suspicious accounts, such as "2ft2dKo28UazTZ" and "mmvojwip." These accounts were linked to forks of Coinbase-related repositories, including Onchainkit, Agentkit, and x402. The investigation also revealed unauthorized modifications to "changelog.yml" in Agentkit, redirecting workflows to a malicious version of "tj-actions/changed-files."
Variability in Attack Payloads
The attack featured different payloads depending on the target:
In the widespread attack, the attacker extracted secrets from environment variables and logged them in workflows.
When targeting Coinbase, the attacker specifically fetched GitHub tokens, ensuring that the malicious code executed only if the repository belonged to Coinbase.
These variations indicate a strategic approach to evading detection while maximizing damage.
Possible Motive and Attack Progression
While the attacker's ultimate goal remains uncertain, experts suspect financial motives, particularly cryptocurrency theft, due to the targeted nature of the Coinbase attack. Coinbase has since remediated the issue as of March 19, 2025.
One theory suggests that, after failing to compromise Coinbase's repository, the attacker shifted tactics, launching a larger-scale attack to exploit the compromised "tj-actions/changed-files." Notably, this shift occurred just 20 minutes after Coinbase mitigated the breach, indicating a reactive approach by the attacker.
Conclusion
The GitHub supply chain attack demonstrates the evolving threats in software security. The incident underscores the need for organizations to rigorously vet third-party dependencies, monitor CI/CD workflows, and enforce strict access controls. As software supply chains become increasingly interconnected, proactive security measures remain essential to mitigating future risks. GitHub continues to review the situation and urges users to scrutinize updates before implementation, reinforcing the importance of vigilance in open-source security.
0 Comments