Cascaded supply chain attacks, which initially targeted Coinbase, have become widespread to a single user of “TJ-actions/Changed-Files” Github actions, and trace it further back to the theft of personal access tokens (PATs) related to spot bugs.
“Attackers gained initial access by leveraging SpotBugs’ GitHub Action Workflow, a popular open source tool for static analysis of bugs in code,” Palo Alto Networks Unit 42 said in an update this week. “This allowed the attacker to move sideways between SpotBugs repositories until they gained access to ReviewDog.”
The attack on Coinbase did not take place until March 2025, but there is evidence to suggest that malicious activity began back to November 2024.
Unit 42 said the investigation began with the knowledge that ReviewDog’s GitHub action was compromised due to leaked PAT related to the project’s maintainers. This allowed threat actors to push “ReviewDog/Action-Setup” by “TJ-actions/Changed-files” in “TJ-actions/Changed-files” because “TJ-Ictions/Changed-files” for “TJ-actions/Changed-files” for “TJ-actions/Changed-files” for “TJ-actions/Changed-files” for “TJ-actions/Changed-files” for “TJ-actions/Changed-files”.
It was later revealed that the maintainers were also active participants in another open source project called SpotBugs.
The attacker is said to have pushed the malicious Github action workflow file to the “SpotBugs/SpotBugs” repository under the disposable username “Jurkaofavak”.
It is believed that the same PAT has facilitated access to both “SpotBugs/SpotBugs” and “ReviewDog/Action-Setup.” In other words, leaked PATs can poison “ReviewDog/Action-Setup.”
“The attacker somehow had an account with write permission to SpotBugs/SpotBugs. This could be used to push the branch into the repository and access the CI’s secret,” Unit 42 said.
As for how write permission was obtained, it was revealed on March 11, 2025, that the user behind the malicious commit of “Jurkaofavak” in the malicious spot bug “Jurkaofavak” was invited to the repository by one of the project maintainers themselves.
In other words, the attacker was able to get a PAT for the SpotBugs repository to invite “Jurkaofavak” and become a member. The cybersecurity company said it was executed by creating a fork for the “Spotbugs/Sonar-findbugs” repository and creating a pull request under the username “Randolzfow”.
“2024-11-28T09:45:13 UTC, [the SpotBugs maintainer] “We’ve changed one of our SpotBugs/Sonar-Findbugs workflows and are using our own PAT due to technical issues in some of the CI/CD processes,” explained Unit 42.
“2024-12-06 02:39:00 At UTC, the attacker submitted a malicious pull request to spotbugs/sonar-findbug.
The “Pull_request_target” trigger is a GitHub Action Workflow trigger that allows workflows running from a fork to access secrets.
The SpotBugs maintainer then confirmed that the PAT used as the secret of the workflow was the same access token and that it was the same access token that was later used to invite “Jurkaofavak” to the “Spotbugs/Spotbugs” repository. The maintainer also rotated all tokens and pads to prevent further access by attackers.
One unknown in all of this is the three-month gap between when the attacker leaked Pat of the Spotbugs maintainer and when they abused it. The attackers are keeping an eye on projects that rely on “TJ-actions/Changed-Files,” and are suspected that they were waiting to hit a valuable target like Coinbase.
“After investing months of effort and achieving so much, did the attacker print secrets on the logs and revealing the attack by doing so?”
Source link
