Coinbase Targeted in Sophisticated GitHub Actions Supply Chain Attack

Coinbase, a leading cryptocurrency exchange, recently found itself at the center of a sophisticated supply chain attack targeting GitHub Actions. The attackers exploited vulnerabilities in widely used GitHub Actions, injecting malicious code into the reviewdog/action-setup@v1 action, which served as the initial breach vector. This breach underscores the growing threat of supply chain attacks in the software development ecosystem, as attackers seek to exploit popular platforms to gain unauthorized access to sensitive information (Bleeping Computer).

The attackers specifically targeted Coinbase’s repositories, leveraging the tj-actions/changed-files GitHub Action to obtain a GitHub token with write permissions to the coinbase/agentkit repository. This repository is crucial for AI agents’ interactions with blockchains, making it a valuable target for those seeking to exploit vulnerabilities in the cryptocurrency ecosystem (Cybersecurity Dive).

The Anatomy of the Attack: How Coinbase Became the Bullseye

Initial Breach Vector

The recent GitHub Actions breaches that targeted Coinbase began with a carefully orchestrated supply chain attack. The attackers injected malicious code into the reviewdog/action-setup@v1 GitHub Action, which served as the initial breach vector. This action was widely used across numerous projects, making it an ideal target for a supply chain attack. By compromising this action, the attackers were able to dump CI/CD secrets—essentially the keys to the kingdom, like passwords and tokens used in automated software processes—into GitHub Actions logs, which were then exploited to gain further access.

Targeting Coinbase’s Repositories

Coinbase was specifically targeted in this attack due to its use of the tj-actions/changed-files GitHub Action. The attackers obtained a GitHub token with write permissions to the coinbase/agentkit repository on March 14, 2025, just hours before expanding their attack to other projects utilizing the changed-files action (Cybersecurity Dive). The agentkit repository is a popular framework that facilitates AI agents’ interactions with blockchains, making it a valuable target for attackers seeking to exploit vulnerabilities in the cryptocurrency ecosystem.

Exploitation of Workflow Logs

Once the attackers gained access to the coinbase/agentkit repository, they exploited workflow logs to steal sensitive information. By invoking the reviewdog action through the tj-actions/eslint-changed-files action, the attackers were able to dump secrets into workflow logs. This allowed them to steal a Personal Access Token, which was then used to push a malicious commit to the tj-actions/changed-files GitHub Action (Wiz Blog). This commit specifically targeted projects associated with Coinbase, highlighting the attackers’ focus on the company.

Expansion to Other Projects

After the initial attempt to compromise Coinbase’s assets was unsuccessful, the attackers expanded their campaign to include all projects utilizing the tj-actions/changed-files action. While over 23,000 projects used this action, only 218 repositories were ultimately impacted by the breach (Palo Alto Networks). This expansion indicates a shift from a targeted attack on Coinbase to a broader campaign affecting multiple projects.

Mitigation and Response

Coinbase’s quick detection and mitigation efforts played a crucial role in preventing further damage. Once the breach was identified, Coinbase took immediate action to secure their repositories and prevent unauthorized access. They collaborated with security researchers from Palo Alto Networks and Wiz to share findings and enhance their security measures (Hunters Security). These efforts, combined with the attackers’ failure to execute more severe operations such as Remote Code Execution, limited the overall impact of the breach.

Attackers’ Profile and Motives

The attackers behind this campaign are believed to be active in the crypto ecosystem, with working hours aligned to Europe or Africa. Evidence suggests that they are French and English speaking, and their activities indicate a sophisticated understanding of GitHub Actions and supply chain vulnerabilities (Wiz Blog). Their motives appear to be financially driven, as they targeted a major cryptocurrency company and sought to exploit its repositories for unauthorized access and potential financial gain.

Lessons Learned and Future Implications

This breach highlights the growing threat of supply chain attacks in the software development ecosystem. It underscores the need for continuous monitoring, proactive threat-hunting, and urgent mitigation measures to prevent the exposure of sensitive credentials and unauthorized access to organizational infrastructure (Hunters Security). Organizations must remain vigilant and implement robust security practices to safeguard their assets against similar attacks in the future.

Summary of Attack Flow

The attack on Coinbase can be visualized as a multi-stage process:

1. Initial Compromise: Malicious code injected into reviewdog/action-setup@v1.
2. Targeting Coinbase: Exploitation of coinbase/agentkit repository through tj-actions/changed-files.
3. Exfiltration of Secrets: Workflow logs used to dump and steal sensitive information.
4. Expansion: Broader attack affecting multiple projects using changed-files action.
5. Mitigation: Coinbase’s response and collaboration with security researchers to limit impact.

This detailed analysis of the attack on Coinbase provides valuable insights into the tactics, techniques, and procedures employed by the attackers, as well as the measures taken to mitigate the breach and prevent future incidents.

Final Thoughts

The breach targeting Coinbase highlights the critical need for robust security measures in the face of increasingly sophisticated supply chain attacks. Despite the attackers’ efforts, Coinbase’s quick detection and collaboration with security researchers helped mitigate the potential damage. This incident serves as a stark reminder of the importance of continuous monitoring and proactive threat-hunting to safeguard against similar attacks in the future (Hunters Security). As organizations continue to rely on complex software ecosystems, the lessons learned from this breach will be invaluable in strengthening defenses against future threats.

References

• Bleeping Computer. (2025). Coinbase was primary target of recent GitHub Actions breaches. https://www.bleepingcomputer.com/news/security/coinbase-was-primary-target-of-recent-github-actions-breaches/
• Cybersecurity Dive. (2025). Coinbase targeted in GitHub Action attack. https://www.cybersecuritydive.com/news/coinbase-targeted-github-action-attack/743186/
• Wiz Blog. (2025). New GitHub Action supply chain attack: reviewdog/action-setup. https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup
• Palo Alto Networks. (2025). GitHub Actions supply chain attack. https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/
• Hunters Security. (2025). GitHub Actions supply chain attack. https://www.hunters.security/en/blog/github-actions-supply-chain-attack