The supply chain attack that initially compromised Coinbase and later affected users of the “tj-actions/changed-files” GitHub Action has been traced back to the theft of a personal access token (PAT) associated with SpotBugs, a popular open-source tool for static code analysis.
According to Palo Alto Networks Unit 42, the attackers gained initial access by exploiting the GitHub Actions workflow of SpotBugs, allowing them to move laterally between SpotBugs repositories and eventually obtain access to reviewdog, another open-source project.
Evidence suggests that the malicious activity began as early as November 2024, although the attack on Coinbase did not occur until March 2025.
Unit 42’s investigation revealed that the reviewdog GitHub Action was compromised due to a leaked PAT associated with the project’s maintainer, allowing the threat actors to push a rogue version of “reviewdog/action-setup” that was later picked up by “tj-actions/changed-files” due to its dependency on “tj-actions/eslint-changed-files” action.
Further investigation showed that the maintainer of reviewdog was also an active participant in the SpotBugs project.
The attackers pushed a malicious GitHub Actions workflow file to the “spotbugs/spotbugs” repository using a disposable username, causing the maintainer’s PAT to be leaked when the workflow was executed.
The same PAT was used to access both “spotbugs/spotbugs” and “reviewdog/action-setup,” allowing the attackers to poison “reviewdog/action-setup.”
According to Unit 42, the attackers gained write permission to the SpotBugs repository by creating a fork of the “spotbugs/sonar-findbugs” repository and submitting a malicious pull request.
The user behind the malicious commit, “jurkaofavak,” was invited to the repository as a member by one of the project maintainers on March 11, 2025.
The attackers created a pull request under the username “randolzfow” and exploited a GitHub Actions workflow that used the “pull_request_target” trigger, allowing them to access the PAT.
The “pull_request_target” trigger enables workflows running from forks to access secrets, leading to a poisoned pipeline execution attack (PPE).
The SpotBugs maintainer has confirmed that the PAT used as a secret in the workflow was the same access token used to invite “jurkaofavak” to the “spotbugs/spotbugs” repository.
The maintainer has since rotated all tokens and PATs to revoke and prevent further access by the attackers.
However, the exact timeline of the attack and the motivations behind the three-month gap between the initial PAT leak and the Coinbase attack remain unclear.
Unit 42 researchers are left wondering why the attackers revealed their attack by printing secrets to logs, despite investing months of effort into the operation.
