Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

In Varda Space, major players in Silicon Valley make big bets on making drugs in space

A critical MCP-Remote vulnerability allows remote code execution, affecting over 437,000 downloads

As X loses CEO, daily use is decreasing and competition is growing

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » spotbugs access token theft github Theft identified as the root cause of supply chain attacks
Identity

spotbugs access token theft github Theft identified as the root cause of supply chain attacks

userBy userApril 4, 2025No Comments3 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

April 4, 2025Ravi LakshmananVulnerability/Open Source,

Cascaded supply chain attacks, which initially targeted Coinbase, have become widespread to a single user of “TJ-actions/Changed-Files” Github actions, and trace it further back to the theft of personal access tokens (PATs) related to spot bugs.

“Attackers gained initial access by leveraging SpotBugs’ GitHub Action Workflow, a popular open source tool for static analysis of bugs in code,” Palo Alto Networks Unit 42 said in an update this week. “This allowed the attacker to move sideways between SpotBugs repositories until they gained access to ReviewDog.”

The attack on Coinbase did not take place until March 2025, but there is evidence to suggest that malicious activity began back to November 2024.

Cybersecurity

Unit 42 said the investigation began with the knowledge that ReviewDog’s GitHub action was compromised due to leaked PAT related to the project’s maintainers. This allowed threat actors to push “ReviewDog/Action-Setup” by “TJ-actions/Changed-files” in “TJ-actions/Changed-files” because “TJ-Ictions/Changed-files” for “TJ-actions/Changed-files” for “TJ-actions/Changed-files” for “TJ-actions/Changed-files” for “TJ-actions/Changed-files” for “TJ-actions/Changed-files”.

It was later revealed that the maintainers were also active participants in another open source project called SpotBugs.

The attacker is said to have pushed the malicious Github action workflow file to the “SpotBugs/SpotBugs” repository under the disposable username “Jurkaofavak”.

It is believed that the same PAT has facilitated access to both “SpotBugs/SpotBugs” and “ReviewDog/Action-Setup.” In other words, leaked PATs can poison “ReviewDog/Action-Setup.”

Coinbase supply chain attack

“The attacker somehow had an account with write permission to SpotBugs/SpotBugs. This could be used to push the branch into the repository and access the CI’s secret,” Unit 42 said.

As for how write permission was obtained, it was revealed on March 11, 2025, that the user behind the malicious commit of “Jurkaofavak” in the malicious spot bug “Jurkaofavak” was invited to the repository by one of the project maintainers themselves.

In other words, the attacker was able to get a PAT for the SpotBugs repository to invite “Jurkaofavak” and become a member. The cybersecurity company said it was executed by creating a fork for the “Spotbugs/Sonar-findbugs” repository and creating a pull request under the username “Randolzfow”.

“2024-11-28T09:45:13 UTC, [the SpotBugs maintainer] “We’ve changed one of our SpotBugs/Sonar-Findbugs workflows and are using our own PAT due to technical issues in some of the CI/CD processes,” explained Unit 42.

“2024-12-06 02:39:00 At UTC, the attacker submitted a malicious pull request to spotbugs/sonar-findbug.

The “Pull_request_target” trigger is a GitHub Action Workflow trigger that allows workflows running from a fork to access secrets.

Cybersecurity

The SpotBugs maintainer then confirmed that the PAT used as the secret of the workflow was the same access token and that it was the same access token that was later used to invite “Jurkaofavak” to the “Spotbugs/Spotbugs” repository. The maintainer also rotated all tokens and pads to prevent further access by attackers.

One unknown in all of this is the three-month gap between when the attacker leaked Pat of the Spotbugs maintainer and when they abused it. The attackers are keeping an eye on projects that rely on “TJ-actions/Changed-Files,” and are suspected that they were waiting to hit a valuable target like Coinbase.

“After investing months of effort and achieving so much, did the attacker print secrets on the logs and revealing the attack by doing so?”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleTrump fires National Security Director and Cyber ​​Command
Next Article Automakers jump into Tesla brand anguish with discounted EV offers
user
  • Website

Related Posts

A critical MCP-Remote vulnerability allows remote code execution, affecting over 437,000 downloads

July 10, 2025

ICEX Forum 2025 Opens: FySelf’s TwinH Showcases AI Innovation

July 10, 2025

Fake Games and AI Companies Push Malware to Cryptocurrency Users via Telegram and Discord

July 10, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

In Varda Space, major players in Silicon Valley make big bets on making drugs in space

A critical MCP-Remote vulnerability allows remote code execution, affecting over 437,000 downloads

As X loses CEO, daily use is decreasing and competition is growing

ICEX Forum 2025 Opens: FySelf’s TwinH Showcases AI Innovation

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

ICEX Forum 2025 Opens: FySelf’s TwinH Showcases AI Innovation

The Future of Process Automation is Here: Meet TwinH

Robots Play Football in Beijing: A Glimpse into China’s Ambitious AI Future

TwinH: A New Frontier in the Pursuit of Immortality?

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.