
A recent GitHub supply chain attack that initially impacted Coinbase has now been traced back to a deeper issue: the theft of a personal access token (PAT) related to SpotBugs, a popular open-source code analysis tool.
According to a detailed investigation by Palo Alto Networks’ Unit 42, the attack began when cybercriminals exploited a weakness in the GitHub Actions workflow used by SpotBugs. This allowed them to move laterally through related repositories, eventually targeting another well-known project called Reviewdog. The attack chain later reached tj-actions/changed-files, a commonly used GitHub Action, which unknowingly passed the malicious payload downstream to other projects, including Coinbase.
How the Attack Unfolded
The threat actors behind this attack first compromised a GitHub personal access token belonging to a SpotBugs project maintainer. This token, once leaked, enabled unauthorized access to multiple repositories, including reviewdog/action-setup.
Reviewdog is a widely used tool that integrates with GitHub Actions to provide automated code review results. Because of its integration with tj-actions/eslint-changed-files, which itself depends on “tj-actions/changed-files,” the rogue version of reviewdog was unknowingly adopted by many users downstream.
Although the Coinbase incident occurred in March 2025, Unit 42 researchers believe the initial malicious activity may have begun as early as November 2024.
The Role of SpotBugs in the Supply Chain Breach
SpotBugs became an entry point due to a flawed configuration in its GitHub Actions workflows. The attackers created a disposable GitHub account with the username “jurkaofavak” and used it to push a malicious workflow file to the SpotBugs repository.
When the workflow ran, it inadvertently exposed the maintainer’s PAT. This access token had permissions for both the SpotBugs and Reviewdog repositories. As a result, the attackers could alter Reviewdog’s setup and quietly distribute their malicious code further.
Further investigation revealed that the “jurkaofavak” account was directly invited to join the SpotBugs repository on March 11, 2025. This means that the attacker wasn’t just an external contributor—they had write access, granted by a project maintainer who may not have realized the risk.
How the Access Token Was Leaked
Unit 42’s report explains that the SpotBugs maintainer made a critical error in November 2024. While troubleshooting CI/CD issues, they configured their personal access token into a GitHub Actions workflow. This workflow used the “pull_request_target” trigger, which allows workflows from forked repositories to run with elevated privileges, including access to secrets.
On December 6, 2024, the attacker submitted a malicious pull request to the SpotBugs repository via a fork. When the workflow executed, the maintainer’s PAT was exposed, giving the attacker the ability to return later and escalate their attack.
This technique is known as a Poisoned Pipeline Execution (PPE) attack, where threat actors exploit CI/CD pipelines by injecting malicious code into trusted environments.
Attack Timeline and Delayed Execution
One puzzling aspect of the attack is the delay between the token’s leak and its use. The attackers waited about three months before using the token to infiltrate deeper into the software supply chain.
Researchers suspect that the attackers monitored projects relying on “tj-actions/changed-files,” likely waiting for the right moment to strike a high-profile target. When Coinbase came into the picture, the attackers executed their plan, inserting malicious code into a trusted dependency and allowing it to spread.
Despite the careful planning, the attackers made a surprising misstep—they printed secrets to logs, a move that ultimately exposed their tactics and alerted security researchers.

Response and Remediation
Following the attack, the SpotBugs maintainer confirmed that the same PAT used in the exposed workflow was also the one that enabled “jurkaofavak” to be invited to the main repository. As a precaution, the maintainer revoked and rotated all access tokens, preventing further misuse.
This incident highlights the critical importance of securing GitHub Actions workflows, especially when using triggers like pull_request_target
, which can be dangerous if not properly handled. It also emphasizes the risk of supply chain attacks in open-source ecosystems, where a single misconfiguration or leaked secret can compromise dozens or even hundreds of projects.
Key Takeaways for Developers
Avoid storing PATs or other secrets directly in workflows, especially in public repositories.
Use fine-grained access tokens with minimal permissions.
Be cautious when using the pull_request_target trigger, especially for workflows that run on contributions from external collaborators.
Regularly review and rotate secrets to limit the impact of any potential leak.
Monitor third-party dependencies and GitHub Actions for unusual activity.
Conclusion
The GitHub supply chain attack that reached Coinbase began with a small security lapse in an open-source project. This shows how attackers are increasingly using indirect methods and long-term strategies to compromise even well-defended targets.
Developers and organizations must stay vigilant, apply security best practices, and keep a close eye on how their CI/CD pipelines are configured. In the age of interconnected code, one compromised token can ripple through the entire ecosystem.
Follow us on (Twitter) for real time updates and exclusive content.
Interesting Article : Severe Apache Parquet Flaw (CVE-2025-30065) Exposes Big Data Systems