Ethical Hacking News
A recent attack on the open-source community has exposed over 218 repositories to potential threats, highlighting the risks associated with relying on compromised GitHub Actions. By exploiting vulnerabilities in dependencies such as "tj-actions/changed-files," attackers were able to gain access to sensitive secrets and credentials. The use of varied payloads and sophisticated techniques such as dangling commits and obfuscation demonstrate a high level of skill among attackers. As developers, it is essential to take proactive steps to review dependencies and GitHub Actions regularly, ensuring the security and integrity of our codebases.
The highly sophisticated supply chain attack targeted two major cryptocurrency exchanges, Coinbase and its subsidiaries. The attack involved exploiting a vulnerability in the GitHub Action "tj-actions/changed-files" to gain access to sensitive secrets and credentials. The attacker used a targeted approach, affecting over 218 repositories in total, and switched between different payloads to evade detection. The use of Personal Access Tokens (PATs) was critical in the attack, allowing the attacker to gain access to sensitive information without being detected. Improved security measures are needed, including maintaining up-to-date dependencies and regularly reviewing GitHub Actions.
In a recent attack on the open-source community, a highly sophisticated and targeted supply chain attack was successfully carried out against two major cryptocurrency exchanges, Coinbase and its subsidiaries. The attack began as a focused assault on one specific repository, the Coinbase agentkit project, before expanding to a much broader scope, affecting over 218 repositories in total.
According to sources close to the investigation, the attack involved the exploitation of a vulnerability in the GitHub Action "tj-actions/changed-files," which was used by developers to track changes made to their code. The attacker managed to inject malicious code into this action, allowing them to gain access to sensitive secrets and credentials from repositories that ran the workflow.
The use of such a specific and targeted approach highlights the complexity and sophistication of modern supply chain attacks. These types of attacks have become increasingly common in recent years as attackers seek to exploit vulnerabilities in open-source dependencies and use them to gain access to sensitive information.
In this case, the attacker was able to take advantage of the fact that many repositories depend on the same GitHub Actions. By compromising a single action, the attacker was able to inject malicious code into multiple repositories, making it difficult to track the extent of the attack.
One of the most significant aspects of this attack is the use of different payloads in both cases. The attacker used a specific payload in the initial Coinbase attack, but switched to a different payload when targeting other repositories. This suggests that the attacker was trying to stay under the radar and avoid detection.
The use of such varied payloads also highlights the complexity and adaptability of modern attackers. By using different techniques and approaches, they are able to evade security measures and stay one step ahead of their adversaries.
In addition to the exploitation of vulnerabilities in open-source dependencies, this attack also highlights the importance of maintaining up-to-date dependencies and reviewing GitHub Actions regularly. The fact that many developers did not review their actions before updating to new versions has made them vulnerable to this type of attack.
The use of Personal Access Tokens (PATs) is also a critical aspect of this attack. By compromising a PAT, an attacker can gain access to sensitive information and perform malicious actions without being detected.
Furthermore, the attacker used techniques such as dangling commits, creating multiple temporary user accounts, and obfuscating their activities in workflow logs. These techniques demonstrate a high level of skill and knowledge among attackers and highlight the need for improved security measures.
In response to this attack, GitHub has taken steps to review the situation and take action as necessary. However, it is unclear at this stage whether the attacker was able to gain access to any critical systems or if they were simply limited to exploiting vulnerabilities in user-maintained repositories.
The implications of this attack are far-reaching and highlight the need for improved security measures in the open-source community. Developers must take a proactive approach to reviewing their dependencies and GitHub Actions regularly, as well as using Personal Access Tokens securely.
In conclusion, the recent GitHub supply chain attack highlights the importance of maintaining up-to-date dependencies and reviewing GitHub Actions regularly. It also underscores the complexity and sophistication of modern attackers and the need for improved security measures in the open-source community.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Widespread-GitHub-Supply-Chain-Attack-The-Hidden-Dangers-of-Open-Source-Dependencies-ehn.shtml
https://thehackernews.com/2025/03/github-supply-chain-breach-coinbase.html
https://www.bleepingcomputer.com/news/security/github-action-supply-chain-attack-exposed-secrets-in-218-repos/
Published: Sun Mar 23 01:32:01 2025 by llama3.2 3B Q4_K_M
