Threat actors used a personal access token (PAT) compromised in December 2024 to mount the March 2025 supply chain attack targeting GitHub Actions, Palo Alto Networks reports.
On March 14, the code of the tj-actions/changed-files GitHub action was altered to execute malicious code that would dump CI/CD secrets to build logs, likely in preparation of further attacks.
One week later, security researchers revealed that the attackers initially focused on exploiting an open source Coinbase project. After failing, however, they expanded their attack to all projects relying on the compromised action.
Down the dependency tree, roughly 160,000 projects are using the compromised action directly or indirectly. However, only 218 repositories exposed secrets as result of this supply chain attack.
This week, Palo Alto Networks published an update to its investigation into the root cause of the attack, revealing that it all started with the compromise of a PAT in December last year.
The PAT belonged to a SpotBugs maintainer, and was added in late November to a spotbugs/sonar-findbugs workflow due to technical difficulties with a CI/CD process.
The token was stolen by a threat actor on December 6, through a malicious pull request submitted to spotbugs/sonar-findbugs to exploit GitHub Actions workflow using the pull_request_target trigger (which allows workflows that run from forks to access secrets).
On March 11, the threat actors used the PAT to invite a malicious user named jurkaofavak to the spotbugs/spotobugs repository as a member, which provided them with write access.
Two minutes later, the user pushed a malicious GitHub Actions workflow file to the repository, creating a malicious workflow that leaked all spotbugs/spotbugs secrets, including those of a Reviewdog maintainer that had access to both SpotBugs and Reviewdog repositories.
“The workflow stringified all the available secrets, encrypted them with AES (symmetric encryption) and encrypted the symmetric key using a hard-coded RSA public key (asymmetric encryption). This ensured that the encrypted leaked secrets and their encryption key could only be decrypted and read by the attacker,” Palo Alto Networks explains.
On March 11, the attacker used the Reviewdog maintainer’s leaked PAT, which had permissions to push tags to the reviewdog/action-setup repository, to override the repo’s v1 tag to point to a malicious commit, impacting all consumers of the tag.
This led to the compromise of the tj-actions/eslint-changed-files action, which used reviewdog/action-setup as a dependency, subsequently leading to the compromise of the tj-actions/changed-files GitHub action.
On March 12, five days after a Coinbase maintainer created a workflow in coinbase/agentkit that depended on tj-actions/changed-files, the attacker prepared the attack by creating forks of tj-actions/changed-files and several Coinbase repositories.
On March 14, the malicious version of the tj-actions/changed-files GitHub action was executed by Coinbase, resulting in the exposure of a token with write permissions.
The vulnerable workflow of coinbase/agentkit was removed an hour and a half later, and the attacker pushed another malicious commit to tj-actions/changed-files, replacing all tags with malicious commits.
“From that point of compromise, the attacker impacted every GitHub workflow run that depended on the tj-actions/changed-files action,” Palo Alto Networks says.
The cybersecurity firm says it has confirmed the findings of its investigation with the maintainers of Reviewdog and SpotBugs.
Related: Impact, Root Cause of GitHub Actions Supply Chain Hack Revealed
Related: 39 Million Secrets Leaked on GitHub in 2024
Related: GitHub Actions Artifacts Leak Tokens and Expose Cloud Services and Repositories
Related: Solana Web3.js Library Backdoored in Supply Chain Attack
