SpotBugs Access Token Theft Identified as Root Cause of GitHub Supply Chain Attack
Summary:
A complex and far-reaching supply chain attack that ultimately impacted Coinbase has been traced back to the compromise of a personal access token belonging to a maintainer of SpotBugs, a popular open-source static code analysis tool. According to Palo Alto Networks’ Unit 42, the attack began when threat actors exploited a GitHub Actions workflow in the SpotBugs project. On November 28, 2024, the SpotBugs maintainer modified the workflow to use their own PAT to address technical issues in their CI/CD pipeline. Just over a week later, on December 6, a threat actor submitted a malicious pull request under the alias "randolzfow" to the "spotbugs/sonar-findbugs" repository. This pull request exploited the pull_request_target trigger, a GitHub Actions feature that allows workflows to access repository secrets, including PATs, from forked repositories, resulting in a poisoned pipeline execution that exposed the maintainer’s PAT.
The attackers then used this compromised token to access additional repositories, including "reviewdog/action-setup," and pushed a rogue version of the GitHub Action. Because “reviewdog/action-setup” was listed as a dependency in the “tj-actions/eslint-changed-files” project, it was subsequently included in the “tj-actions/changed-files” GitHub Action, impacting a wide range of downstream users. One of those users was Coinbase, which became a high-profile victim of the campaign in March 2025.
Further investigation revealed that the attacker, using the disposable GitHub account "jurkaofavak," was directly invited into the "spotbugs/spotbugs" repository by a project maintainer on March 11, 2025. This elevated access allowed the threat actor to push branches and access CI secrets within the repository. It was later confirmed that the same compromised PAT used to inject the malicious workflow had also been used to extend the invitation to the attacker’s alias account.
Security Officer Comments:
Unit 42 researchers believe the attackers deliberately waited several months before leveraging the stolen PAT, possibly monitoring dependencies to identify a high-value target like Coinbase before acting. While the SpotBugs maintainer has since rotated all access tokens and PATs to block further exploitation, the attack highlights the dangers of misconfigured workflows and excessive trust in CI/CD automation. Researchers also questioned the attacker’s operational security choices particularly why, after months of preparation, they exposed their activity by printing secrets to logs, effectively revealing the attack.
Suggested Corrections:
Immediate Steps for Affected Users
Long-Term Security Improvements
Link(s):
https://thehackernews.com/2025/04/spotbugs-access-token-theft-identified.html
A complex and far-reaching supply chain attack that ultimately impacted Coinbase has been traced back to the compromise of a personal access token belonging to a maintainer of SpotBugs, a popular open-source static code analysis tool. According to Palo Alto Networks’ Unit 42, the attack began when threat actors exploited a GitHub Actions workflow in the SpotBugs project. On November 28, 2024, the SpotBugs maintainer modified the workflow to use their own PAT to address technical issues in their CI/CD pipeline. Just over a week later, on December 6, a threat actor submitted a malicious pull request under the alias "randolzfow" to the "spotbugs/sonar-findbugs" repository. This pull request exploited the pull_request_target trigger, a GitHub Actions feature that allows workflows to access repository secrets, including PATs, from forked repositories, resulting in a poisoned pipeline execution that exposed the maintainer’s PAT.
The attackers then used this compromised token to access additional repositories, including "reviewdog/action-setup," and pushed a rogue version of the GitHub Action. Because “reviewdog/action-setup” was listed as a dependency in the “tj-actions/eslint-changed-files” project, it was subsequently included in the “tj-actions/changed-files” GitHub Action, impacting a wide range of downstream users. One of those users was Coinbase, which became a high-profile victim of the campaign in March 2025.
Further investigation revealed that the attacker, using the disposable GitHub account "jurkaofavak," was directly invited into the "spotbugs/spotbugs" repository by a project maintainer on March 11, 2025. This elevated access allowed the threat actor to push branches and access CI secrets within the repository. It was later confirmed that the same compromised PAT used to inject the malicious workflow had also been used to extend the invitation to the attacker’s alias account.
Security Officer Comments:
Unit 42 researchers believe the attackers deliberately waited several months before leveraging the stolen PAT, possibly monitoring dependencies to identify a high-value target like Coinbase before acting. While the SpotBugs maintainer has since rotated all access tokens and PATs to block further exploitation, the attack highlights the dangers of misconfigured workflows and excessive trust in CI/CD automation. Researchers also questioned the attacker’s operational security choices particularly why, after months of preparation, they exposed their activity by printing secrets to logs, effectively revealing the attack.
Suggested Corrections:
Immediate Steps for Affected Users
- Identify usage: Search for the tj-actions/changed-files action and other actions mentioned above in your repositories to determine whether and where it has been used.
- Review workflow logs: Examine past workflow runs for evidence of secret exposure double-encoded in Base64 text, especially if the logs are public.
- Rotate secrets: Revoke and regenerate any credentials that may have been exposed. Ensure that all API keys, access tokens and deployment credentials are refreshed.
- Investigate malicious activity: If you encounter any signs that the compromised action has been executed, investigate further for any signs of malicious activity.
Long-Term Security Improvements
- Govern third-party services in use: Implement vetting procedures to ensure external actions receive approval before being integrated into workflows.
- Implement strict Pipeline-Based Access Controls (PBAC): Reduce the permissions granted to GitHub Actions workflows to the minimum necessary. Use fine-grained and short-lived tokens instead of long-term and broadly scoped secrets.
- Pin GitHub actions: Instead of referencing GitHub actions by tag or branch (e.g., @v3 or @main), pin actions to a full-length commit SHA-1 hash to ensure that the code cannot be changed by a malicious actor.
Link(s):
https://thehackernews.com/2025/04/spotbugs-access-token-theft-identified.html