The cascading supply chain attack that initially targeted Coinbase before becoming more widespread to single out users of the “tj-actions/changed-files” GitHub Action has been traced further back to the theft of a personal access token (PAT) related to SpotBugs.
“The attackers obtained initial access by taking advantage of the GitHub Actions workflow of SpotBugs, a popular open-source tool for static analysis of bugs in code,” Palo Alto Networks Unit 42 said in an update this week. “This enabled the attackers to move laterally between SpotBugs repositories, until obtaining access to reviewdog.”
There is evidence to suggest that the malicious activity began as far back as November, 2024, although the attack against Coinbase did not take place until March 2025.
Unit 42 said its investigation began with the knowledge that reviewdog’s GitHub Action was compromised due to a leaked PAT associated with the project’s maintainer, which subsequently enabled the threat actors to push a rogue version of “reviewdog/action-setup” that, in turn, was picked up by “tj-actions/changed-files” due to it being listed as a dependency via the “tj-actions/eslint-changed-files” action.
It has since been uncovered that the maintainer was also an active participant in another open-source project called SpotBugs.
The attackers are said to have pushed a malicious GitHub Actions workflow file to the “spotbugs/spotbugs” repository under the disposable username “jurkaofavak,” causing the maintainer’s PAT to be leaked when the workflow was executed.
It’s believed that the same PAT facilitated access to both “spotbugs/spotbugs” and “reviewdog/action-setup,” meaning the leaked PAT could be abused to poison “reviewdog/action-setup.”
“The attacker somehow had an account with write permission in spotbugs/spotbugs, which they were able to use to push a branch to the repository and access the CI secrets,” Unit 42 said.
As for how the write permissions were obtained, it has come to light that the user behind the malicious commit to SpotBugs, “jurkaofavak,” was invited to the repository as a member by one of the project maintainers themselves on March 11, 2025.
In other words, the attackers managed to obtain the PAT of the SpotBugs repository to invite “jurkaofavak” to become a member. This, the cybersecurity company said, was carried out by creating a fork of the “spotbugs/sonar-findbugs” repository and creating a pull request under the username “randolzfow.”
“On 2024-11-28T09:45:13 UTC, [the SpotBugs maintainer] modified one of the ‘spotbugs/sonar-findbugs workflows to use their own PAT, as they were having technical difficulties in a part of their CI/CD process,” Unit 42 explained.
“On 2024-12-06 02:39:00 UTC, the attacker submitted a malicious pull request to spotbugs/sonar-findbugs, which exploited a GitHub Actions workflow that used the pull_request_target trigger.”
The “pull_request_target” trigger is a GitHub Actions workflow trigger that allows workflows running from forks to access secrets – in this case, the PAT – leading to what’s called a poisoned pipeline execution attack (PPE).
The SpotBugs maintainer has since confirmed that the PAT that was used as a secret in the workflow was the same access token that was later used to invite “jurkaofavak” to the “spotbugs/spotbugs” repository. The maintainer has also rotated all of their tokens and PATs to revoke and prevent further access by the attackers.
One major unknown in all this is the three-month gap between when the attackers leaked the SpotBugs maintainer’s PAT and when they abused it. It’s suspected that the attackers were keeping an eye out on the projects that were dependent on “tj-actions/changed-files” and waited to strike a high-value target like Coinbase.
“Having invested months of effort and after achieving so much, why did the attackers print the secrets to logs, and in doing so, also reveal their attack?,” Unit 42 researchers pondered.
Leave a Reply