A cascading supply chain attack initially aimed at Coinbase has stemmed from the theft of a personal access token (PAT) related to the SpotBugs project. This attack leveraged a vulnerability within the GitHub Actions workflow of SpotBugs, permitting attackers to access related repositories, including reviewdog. The malicious actions commenced as early as November 2024, but Coinbase was specifically targeted in March 2025. Research indicates that the attackers exploited a maintainer's compromised PAT to insert rogue code into reviewdog, ultimately affecting users of the tj-actions GitHub Action.
"The attackers obtained initial access by taking advantage of the GitHub Actions workflow of SpotBugs, a popular open-source tool for static analysis of bugs in code."
"Unit 42 said its investigation began with the knowledge that reviewdog's GitHub Action was compromised due to a leaked PAT associated with the project's maintainer."
Collection
[
|
...
]