FlagThis

Coinbase was the initial target of a sophisticated supply chain attack on GitHub Actions, according to researchers from Palo Alto Networks and Wiz. The attack exploited the public continuous integration/continuous delivery flow of Coinbase's open-source project, agentkit. The hackers aimed to leverage agentkit for further compromises, but they did not manage to access Coinbase secrets or publish any packages.

Researchers found malicious code injected into the reviewdog/action-setup@v1 GitHub Action, a dependency of tj-actions/changed-files, which was also compromised. The attack leaked sensitive secrets from repositories that ran the workflow, assigned as CVE-2025-30066 and CVE-2025-30154. Approximately 218 repositories had secrets exposed, including credentials for DockerHub, npm, Amazon Web Services, and GitHub install access tokens.


References :

• The DefendOps Diaries: Coinbase Targeted in Sophisticated GitHub Actions Supply Chain Attack
• www.bleepingcomputer.com: Coinbase was primary target of recent GitHub Actions breaches
• www.cybersecuritydive.com: Coinbase originally targeted during GitHub Action supply chain attack
• thehackernews.com: TheHackerNews reports on Coinbase initially targeted in GitHub Actions attack.
• bsky.app: Both Wiz and Palo Alto Networks have found evidence that the compromise of the Changed-Files GitHub Action might have been a complex multi-tier supply chain attack targeting tools used by Coinbase developers
• www.scworld.com: GitHub Action attack initially set sights on Coinbase

Classification:

• HashTags: #SupplyChainAttack #GitHubActions #Coinbase
• Company: Coinbase
• Target: Coinbase
• Product: GitHub Actions
• Feature: Supply Chain Attack
• Type: SupplyChain
• Severity: Major