Cybersecurity researchers have concluded their investigation into a sophisticated supply chain attack targeting GitHub Actions, revealing that while 23,000 repositories utilized the compromised tj-actions/changed-files component, only 218 repositories experienced actual secret exposure. The investigation uncovered that cryptocurrency exchange Coinbase was the primary target, with subsequent propagation occurring as collateral damage.
Attack Vector Analysis: Supply Chain Compromise Methodology
The attack’s initial compromise vector targeted the reviewdog/action-setup@v1 component, where threat actors injected malicious code designed to extract CI/CD secrets through workflow logs. The attackers leveraged this vulnerability to obtain a Personal Access Token (PAT) from tj-actions/eslint-changed-files, enabling further malicious code propagation throughout the supply chain.
Impact Assessment and Exposure Analysis
Endor Labs’ analysis revealed that between March 14-15, 2025, 5,416 repositories from 4,072 organizations referenced the compromised GitHub Action. However, malicious code execution occurred in only 614 instances, with confirmed secret exposure in 218 repositories. The majority of compromised credentials were temporary GitHub tokens with 24-hour validity periods, though some instances involved DockerHub, npm, and AWS credential exposure.
Targeted Attack Investigation: Coinbase Incident
Research conducted by Palo Alto Unit 42 and Wiz identified the coinbase/agentkit framework as the primary target. Threat actors obtained a GitHub repository write access token approximately two hours before launching the widespread attack. However, Coinbase’s robust security controls successfully prevented any potential damage to their infrastructure.
Security Implementation Guidelines
The incident highlights critical security practices for GitHub Actions implementations:
– Utilize immutable SHA commits instead of mutable tags
– Implement strict token expiration policies
– Monitor CI/CD process logs carefully
– Deploy comprehensive access controls
The identified vulnerabilities have been assigned CVE-2025-30154 and CVE-2025-30066 identifiers.
This sophisticated supply chain attack demonstrates the evolving complexity of modern cyber threats and emphasizes the critical importance of implementing robust DevOps security measures. Organizations must conduct regular security audits of their GitHub Actions implementations and maintain comprehensive security controls across their CI/CD pipelines. The incident serves as a crucial reminder that even temporary credential exposure can pose significant risks to organizational security posture.
