- Key Cybersecurity Considerations for 2025
- Make the Most of Your Holiday Cybersecurity Awareness Efforts
- Stock your Kindle for summer: Get up to 93% off popular reads during Amazon's Book Sale
- I replaced my TV with a 4K UST projector - and the visual upgrade was worth it
- This Amazon Fire TV soundbar gave me room-filling audio without breaking the bank
Tj-actions Supply Chain Attack Traced Back to GitHub Token Compromise
A recent supply chain attack that compromised the popular tj-actions/changed-files GitHub action has left a trail of digital destruction, affecting 218 GitHub repositories.
As investigators dig deeper, the origins of this sophisticated breach are slowly coming into focus, revealing both the initial compromise and the ultimate target.
While the desired target was GitHub projects linked to Coinbase, a popular cryptocurrency exchange, the attack’s point of origin has been traced back to the theft of a single token from a spotbugs workflow. This granted the threat actor unauthorized access and enabled them to compromise a multitude of GitHub projects.
Spotbug is a tool for static analysis that identifies bugs in Java code, maintained by RD_MNTNR, who was also an active maintainer in reviewdog, an automated code review and testing GitHub project whose compromise led to tj-actions/changed-files being tampered with.
The tj-actions/changed-files Attack Explained
On March 14, security researchers spotted that the source code of tj-actions/changed-files had been modified.
GitHub Actions are continuous integration and continuous delivery (CI/CD) frameworks designed to streamline the building, testing and deployment of code.
A spokesperson at StepSecurity commented: “In this attack, the attackers modified the action’s code and retroactively updated multiple version tags to reference the malicious commit. The compromised Action prints CI/CD secrets in GitHub Actions build logs.”
“If the workflow logs are publicly accessible (such as in public repositories), anyone could potentially read these logs and obtain exposed secrets. There is no evidence that the leaked secrets were exfiltrated to any remote network destination,” they added.
In a blog post, software supply chain security firm Endor Labs wrote: “The attacker was likely not looking for secrets in public repositories – they are already public. They were likely looking to compromise the software supply chain for other open-source libraries, binaries and artifacts created with this. Any public repository that creates packages or containers as part of a CI pipeline could have been impacted. That means potentially thousands of open-source packages have the potential to have been compromised.”
Initial estimates suggested that the attack had a staggering impact, compromising as many as 23,000 repositories.
However, a more thorough investigation revealed that the actual damage was significantly more contained, with the malicious tj-actions commit exposing sensitive secrets for only 218 repositories, a fraction of the initially feared total.
The incident was given an official CVE number, CVE-2025-30066, which was later added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.
Further investigation uncovered that the threat actor had successfully infiltrated the reviewdog/action-setup GitHub project, inserting a malicious backdoor that was triggered when the tj-actions/eslint-changed-files project, which depended on it, was executed.
New Revelations: Coinbase and spotbugs
On March 20, researchers at Palo Alto Networks’ Unit42 discovered that the initial target of the attack was Coinbase, specifically its open-source agentkit GitHub project.
The attackers attempted to exploit the project’s public CI/CD pipeline, likely to use it as a stepping stone for further compromises.
However, the attack was partially thwarted, as the attackers were unable to access or utilize Coinbase’s secrets or publish malicious packages.
Following this initial attack, the Unit42 researchers believe the same threat actor escalated its efforts, leading to the more significant, more widespread attack that has garnered global attention.
On April 2, the Unit42 researchers revealed they had pieced together the stages that led to the original compromise, based on an advisory published by reviewdog maintainers.
According to Unit42, the attackers initially gained access by exploiting the GitHub Actions workflow of spotbugs in November 2024, which enabled them to move laterally between spotbugs repositories until they gained access to reviewdog.
Timeline of the Attack
November 2024: The attacker gained unauthorized access to spotbugs.
December 6, 2024: The attacker leveraged a vulnerable ‘pull_request_target’ workflow to steal a maintainer’s Personal Access Token (PAT) through a malicious pull request submitted by a disposable user account (randolzflow).
March 11, 2025: The attacker utilized the stolen PAT to add another dummy user (jurkaofavak) to the spotbugs repository. This user then pushed a malicious GitHub Actions workflow that extracted a second PAT belonging to a reviewdog maintainer (RD_MNTNR), who also had access privileges to spotbugs. The stolen PAT granted the attacker write access to the reviewdog/action-setup repository, enabling them to replace the v1 tag with a malicious commit from a forked repository.
This effectively poisoned all projects that relied on the v1 tag, creating a backdoor that was triggered when used in conjunction with tj-actions/eslint-changed-files. The attacker then used the stolen credentials to override git tags in the repository, redirecting them to a malicious commit designed to dump sensitive secrets from Continuous Integration (CI) runners into logs. The malicious commit exposed secrets for 218 repositories, including those related to Coinbase.
March 14, 2025: Coinbase’s CI pulled and executed the modified version. Fortunately, the attacker’s plan to infiltrate Coinbase’s systems was thwarted. The company’s swift response to the attempted breach was instrumental in mitigating the damage, as the company promptly received notification of the potential security vulnerability and took decisive action to remove the malicious workflow.
March 14, 2025: Researchers from StepSecurity spotted that the source code of tj-actions/changed-files had been tampered with.
March 15, 2025: The vulnerability was disclosed by MITRE and allocated a CVE identifier, CVE-2025-30066.
March 16, 2025: Adnan Khan, an independent offensive security researcher, published a report pointing to the compromise of another GitHub organization, reviewdog.
March 18, 2025: CISA added CVE-2025-30066 to its KEV catalog.
March 18, 2025: Reviewdog maintainers published a security advisory.
March 20, 2025: Palo Alto Networks’ Unit42 revealed that Coinbase-related projects were the initial targets of the attack.
April 2, 2025: A new update from Palo Alto Networks’ Unit42 traced back the attack to the theft of a single token from a spotbugs workflow.
Photo credit: Rcc_Btn/Shutterstock
