Coinbase was primary target of recent GitHub Actions breaches
Posted: Sat Mar 22, 2025 2:31 pm
Researchers have determined that Coinbase was the primary target in a recent GitHub Actions cascading supply chain attack that compromised secrets in hundreds of repositories.
According to new reports from Palo Alto Unit 42 and Wiz, the attack was carefully planned and began when malicious code was injected into reviewdog/action-setup@v1 GitHub Action. It is unclear how the breach occurred, but the threat actors modified the action to dump CI/CD secrets and authentication tokens into GitHub Actions logs.
As previously reported, the first stage of the breach involved the compromise of the reviewdog/action-setup@v1 GitHub Action. It is unclear how the breach occurred, but when a related GitHub Action, tj-actions/eslint-changed-files, invoked the reviewdog action, causing its secrets to be dumped to workflow logs.
[...]
Coinbase was primary target of recent GitHub Actions breaches
According to new reports from Palo Alto Unit 42 and Wiz, the attack was carefully planned and began when malicious code was injected into reviewdog/action-setup@v1 GitHub Action. It is unclear how the breach occurred, but the threat actors modified the action to dump CI/CD secrets and authentication tokens into GitHub Actions logs.
As previously reported, the first stage of the breach involved the compromise of the reviewdog/action-setup@v1 GitHub Action. It is unclear how the breach occurred, but when a related GitHub Action, tj-actions/eslint-changed-files, invoked the reviewdog action, causing its secrets to be dumped to workflow logs.
[...]
Coinbase was primary target of recent GitHub Actions breaches