April 3, 2025 By Bill Toulas
A cascading supply chain attack on GitHub that targeted Coinbase in March has now been traced back to a single token stolen from a SpotBugs workflow, which allowed a threat actor to compromise multiple GitHub projects.
The popular static analysis tool SpotBugs was breached in November 2024, leading to the compromise of Reviewdog, which subsequently led to the infection of tj-actions/changed-files.
The multi-step supply chain attack eventually exposed secrets in 218 repositories, while the latest findings showed that the threat actors were initially attempting to breach projects belonging to the cryptocurrency exchange Coinbase.
The start of the attack, which has remained unknown so far, was discovered by Palo Alto Networks' Unit 42 researchers who added an update yesterday on their original analysis of the incident.
