Ethical Hacking News
Coinbase was targeted by a highly sophisticated GitHub Actions cascading supply chain attack, compromising hundreds of repositories. The attack began with malicious code injected into a GitHub Action and escalated into a full-scale assault on multiple repositories.
Coinbase was targeted in a sophisticated GitHub Actions cascading supply chain attack. The attack involved compromising hundreds of repositories, with Coinbase being the focal point. The breach began when malicious code was injected into a seemingly innocuous GitHub Action. Attackers exploited vulnerabilities in the GitHub Actions ecosystem to gain unauthorized access. The attackers stole sensitive information from Coinbase and other affected projects.
Coinbase, one of the world's leading cryptocurrency exchanges, has been revealed as the primary target in a sophisticated GitHub Actions cascading supply chain attack. According to recent reports from reputable sources such as Palo Alto Unit 42 and Wiz, this highly coordinated breach involved the compromise of hundreds of repositories, with Coinbase being the focal point throughout the entire operation.
At its core, the attack began when malicious code was injected into the reviewdog/action-setup@v1 GitHub Action. This seemingly innocuous action would go on to serve as the entry point for a complex series of events that ultimately led to the theft of sensitive information from Coinbase and other affected projects. The exact method by which the breach occurred remains unclear, but it is evident that the attackers were able to exploit vulnerabilities in the GitHub Actions ecosystem to gain unauthorized access.
As the attack progressed, the threat actors modified the action to dump CI/CD secrets and authentication tokens into GitHub Actions logs. This initial dump allowed the attackers to steal a Personal Access Token that was then used to push a malicious commit to the tj-actions/changed-files GitHub Action. The changed-files action, it is worth noting, was utilized by over 20,000 other projects, including Coinbase's popular coinbase/agent kit framework.
The agentkit workflow executed the changed-files actions, allowing the threat actors to steal tokens that granted them Write access to the repository. According to Unit 42, Coinbase's agentkit repository was targeted on March 14, 2025, with the attackers obtaining a GitHub token with write permissions less than two hours before initiating the larger attack against tj-actions/changed-files.
However, it is worth noting that Coinbase later reported that the attack was unsuccessful and did not result in any damage to their assets. Despite this, the incident serves as a stark reminder of the risks associated with supply chain attacks, particularly those involving GitHub Actions.
The attack's complexity and scope are a testament to the sophisticated nature of modern cyber threats. The fact that the breach began with a seemingly innocuous action and escalated into a full-scale assault on multiple repositories underscores the importance of vigilance in the face of potential threats. As such, it is essential for developers and organizations to remain vigilant and take proactive steps to protect themselves against similar attacks in the future.
Furthermore, this incident highlights the need for greater transparency and cooperation between organizations and security researchers in the wake of breaches. By sharing information about the attack and its methods, these parties can help to prevent similar incidents from occurring in the future.
Ultimately, the Coinbase breach serves as a stark reminder of the evolving nature of cyber threats and the importance of staying ahead of the curve when it comes to protecting against supply chain attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Coinbase-Targets-Unpacking-the-Complexities-of-a-Cascading-Supply-Chain-Attack-ehn.shtml
https://www.bleepingcomputer.com/news/security/coinbase-was-primary-target-of-recent-github-actions-breaches/
Published: Fri Mar 21 18:52:37 2025 by llama3.2 3B Q4_K_M
