The supply chain attack involving the GitHub Action “tj-actions/changed-files” started as a highly-targeted attack against one of Coinbase’s open-source projects, before evolving into something more widespread in scope.
“The payload was focused on exploiting the public CI/CD flow of one of their open source projects – agentkit, probably with the purpose of leveraging it for further compromises,” Palo Alto Networks Unit 42 said in a report. “However, the attacker was not able to use Coinbase secrets or publish packages.”
The incident came to light on March 14, 2025, when it was found that “tj-actions/changed-files” was compromised to inject code that leaked sensitive secrets from repositories that ran the workflow. It has been assigned the CVE identifier CVE-2025-30066 (CVSS score: 8.6).
According to Endor Labs, 218 GitHub repositories are estimated to have exposed their secrets due to the supply chain attack, and a majority of the leaked information includes a “few dozen” credentials for DockerHub, npm, and Amazon Web Services (AWS), as well as GitHub install access tokens.
“The initial scale of the supply chain attack sounded scary, considering that tens of thousands of repositories depend on the GitHub Action,” security researcher Henrik Plate said.
“However, drilling down into the workflows, their runs and leaked secrets shows that the actual impact is smaller than anticipated: ‘Only’ 218 repositories leaked secrets, and the majority of those are short-lived GITHUB_TOKENs, which expire once a workflow run is completed.”
Since then, it has emerged that the v1 tag of another GitHub Action called “reviewdog/action-setup,” which “tj-actions/changed-files” relies on as a dependency via “tj-actions/eslint-changed-files,” was also compromised in the lead up to the tj-actions incident with a similar payload. The breach of “reviewdog/action-setup” is being tracked as CVE-2025-30154 (CVSS score: 8.6).
The exploitation of CVE-2025-30154 is said to have enabled the unidentified threat actor to obtain a personal access token (PAT) associated with “tj-actions/changed-files,” thereby allowing them to modify the repository and push the malicious code, in turn impacting every single GitHub repository that depended on the action.
“When the tj-actions/eslint-changed-files action was executed, the tj-actions/changed-files CI runner’s secrets were leaked, allowing the attackers to steal the credentials used in the runner, including a Personal Access Token (PAT) belonging to the tj-bot-actions GitHub user account,” Unit 42 researchers Omer Gil, Aviad Hahami, Asi Greenholts, and Yaron Avital said.
It’s currently suspected that the attacker managed to somehow gain access to a token with write access to the reviewdog organization in order to make the rogue alterations. That said, the manner in which this token may have been acquired remains unknown at this stage.
Furthermore, the malicious commits to “reviewdog/action-setup” is said to have been carried out by first forking the corresponding repository, committing changes to it, and then creating a fork pull request to the original repository and ultimately introducing arbitrary commits – a scenario called a dangling commit.
“The attacker took significant measures to conceal their tracks using various techniques, such as leveraging dangling commits, creating multiple temporary GitHub user accounts, and obfuscating their activities in workflow logs (especially in the initial Coinbase attack),” Gil, Senior Research Manager at Palo Alto Networks, told The Hacker News. “These findings indicate that the attacker is highly skilled and has a deep understanding of CI/CD security threats and attack tactics.”
Unit 42 theorized that the user account behind the fork pull request “iLrmKCu86tjwp8” may have been hidden from public view after the attacker switched from a legitimate email address provided during registration to a disposable (or anonymous) email in violation of GitHub’s policy.
This could have caused all the interactions and actions performed by the user to be concealed. However, when reached for comment, GitHub did not confirm or deny the hypothesis, but said it’s actively reviewing the situation and taking action as necessary.
“There is currently no evidence to suggest a compromise of GitHub or its systems. The projects highlighted are user-maintained open-source projects,” a GitHub spokesperson told The Hacker News.
“GitHub continues to review and take action on user reports related to repository contents, including malware and other malicious attacks, in accordance with GitHub’s Acceptable Use Policies. Users should always review GitHub Actions or any other package that they are using in their code before they update to new versions. That remains true here as in all other instances of using third party code.”
A deeper search for GitHub forks of tj-actions/changed-files has led to the discovery of two other accounts “2ft2dKo28UazTZ” and “mmvojwip,” both of which have since been deleted from the platform. Both the accounts have also been found to create forks of Coinbase-related repositories such as onchainkit, agentkit, and x402.
Further examination has uncovered that the accounts modified the “changelog.yml” file in the agentkit repository using a fork pull request to point to a malicious version of “tj-actions/changed-files” published earlier using the PAT.
The attacker is believed to have obtained a GitHub token with write permissions to the agentkit repository – in turn facilitated by the execution of the tj-actions/changed-files GitHub Actions – so as to make the unauthorized changes.
Another important aspect worth highlighting is the difference in payloads used in both the cases, indicating attempts on part of the attacker to stay under the radar.
“The attacker used different payloads at different stages of the attack. For example, in the widespread attack, the attacker dumped the runner’s memory and printed secrets stored as environment variables to the workflow’s log, regardless of which workflow was running,” Gil said.
“However, when targeting Coinbase, the attacker specifically fetched the GITHUB_TOKEN and ensured that the payload would only execute if the repository belonged to Coinbase.”
It’s currently not known what the end goal of the campaign was, it’s “strongly” suspected that the intent was financial gain, likely attempting to conduct cryptocurrency theft, given the hyper-specific targeting of Coinbase, Gil pointed out. As of March 19, 2025, the cryptocurrency exchange has remediated the attack.
It’s also not clear what prompted the attacker to switch gears, turning what was an initially targeted attack turned into a large-scale and less stealthy campaign.
“One hypothesis is that after realizing they could not leverage their token to poison the Coinbase repository — and upon learning that Coinbase had detected and mitigated the attack — the attacker feared losing access to the tj-actions/changed-files action,” Gil said.
“Since compromising this action could provide access to many other projects, they may have decided to act quickly. This could explain why they launched the widespread attack just 20 minutes after Coinbase mitigated the exposure on their end despite the increased risk of detection.”
