The GitHub Action” tj-actions/changed-files” supply chain attack began as a highly targeted assault against one of Coinbase’s open-source jobs before becoming more popular in scope.
According to Palo Alto Networks Unit 42,” the payload was focused on exploiting the common CI/CD circulation of one of their open source projects – agentkit, perhaps with the intention of using it for further compromises.” The perpetrator was unable to post packages or use Ethereum secrets, the attacker continued.
On March 14, 2025, it was discovered that” tj-actions/changed-files” had been hacked to add code that leaked sensitive information from repository managers who executed the procedure. It has been assigned the CVE identifier ( CVSS score: 8.6).
According to Endor Labs, 218 GitHub repositories are said to have been the subject of a supply chain attack, and the majority of the leaked information includes “few dozen” GitHub install access tokens as well as “few dozen” credentials for Docker Hub, npm, and Amazon Web Services ( AWS).
Security researcher Henrik Plate ,” The initial level of the supply chain strike sounded frightening, given that tens of thousands of archives depend on the GitHub Action.”
” On the other hand, looking deeper into the workflows, their runs, and leaked secrets shows that the real effect is less severe than expected:” Just ‘218 repositories leaked secrets, and the majority of those are short-lived GITHUB_TOKENs, which expire after a procedure run is finished.
Since then, it has become known that the v1 label of a different GitHub Action called “reviewdog/action-setup,” which” tj-actions/changed-files” relies on as a interdependence via” tj-actions/eslint-changed-files” was even compromised in the run-up to the tj-actions event with a similar load. The is being tracked as ( CVSS score: 8.6).
The unnamed threat actor is said to have been able to use CVE-2025-30154 to improve the repository and drive the malicious code, which would have affected every GitHub repository that was dependent on the action. This is done in response to the exploitation of the vulnerability.
The tj-actions/eslint-changed-files CI runner’s secrets were leaked when the runner’s credentials, including a Personal Access Token ( PAT ) belonging to the tj-bot-actions GitHub user account, were discovered by Unit 42 researchers Omer Gil, Aviad Hahami, Asi Greenholts, and Yaron Avital.
The attacker is already alleged to have managed to get write access to the reviewdog organization and access a token in order to perform the rogue alterations. Having said that, it is unknown at this time how this gift might have been acquired.
Additionally, it is said that the harmful commits to “reviewdog/action-setup” were carried out by first shelling the corresponding repository, making changes there, creating a spoon pull request to the original repository, before finally introducing subjective commits, a practice known as a swinging commit.
According to Gil, Senior Research Manager at Palo Alto Networks,” The attacker used various methods to conceal their songs, including leveraging dangling performs, creating multiple temporary GitHub user accounts, and obfuscating their actions in workflow reports (especially in the initial Coinbase attack ),”” The attacker took significant actions to conceal their songs,” according to Gil. These findings demonstrate that the perpetrator is highly qualified and well-versed in CI/CD safety risks and attack strategies.
According to Unit 42, the user account responsible for the fork pull request “iLrmKCu86tjwp8” may have been hidden from the public after the attacker switched from a legitimate email address provided during registration to an unreliable ( or anonymous ) email, in violation of Git Hub’s policy.
This could have resulted in the customer concealing all interactions and actions they took. However, when reached for comment, GitHub stated that it is constantly reviewing the scenario and taking steps as necessary, but did not confirm or refute the hypothesis.
There is now no proof that GitHub or its devices have been compromised. A GitHub director told The Hacker News that the projects being noted are “user-maintained open-source tasks”.
In accordance with Git Hub’s Acceptable Use Policies, it continues to examine and take action on consumer reports relating to record items, including malware and other malicious problems. Before updating to new versions of their script, users should always check GitHub Activities or any other item that they are using. That is the same as it is for all different cases of using next party code.
Two additional accounts,” 2ft2dKo28UazTZ” and “mmvojwip,” both of which have since been removed from the platform, have been discovered as a result of a deeper search for GitHub plates of tj-actions/changed-files. Additionally, it has been discovered that both balances created plates of Coinbase-related repositories like onchainkit, agentkit, and x402.
investigation has revealed that the accounts altered the” log.” using a fork lift request, the agentkit repository’s” tj-actions/changed-files” file in a previous PAT release points to a harmful type of the” tj-actions/changed-files” file.
The attacker is alleged to have used the tj-actions/changed-files GitHub Actions to perform the illicit changes by obtaining a GitHub coin with create permissions for the agentkit repository.
The difference in the payloads used in both cases, which suggests attempts on the part of the attacker to be under the radar, is another critical aspect worth mentioning.
” The intruder used various cargo at various points throughout the strike. In the popular strike, Gil cited the attacker who “dumped the runner’s storage and printed atmosphere variables to the workflow’s log, regardless of which workflow was being run.”
” Assaulter specifically fetched the GITHUB_TOKEN and made sure that the load would only do if the store belonged to Coinbase,” the attacker continued.
Given the hyper-specific targeting of Coinbase, Gil noted, it’s” clearly” suspected that the intention was financial gain, probably attempting to perform crypto theft. It’s not known what the end goal of the campaign was. The cryptocurrency exchange has recovered the attack as of March 19, 2025.
What caused the attacker to switch gears, turning what was initially a targeted attack into a significant and less secret campaign, is unknown.
The attacker feared losing access to the tj-actions/changed-files action after realizing they could not use their token to poison the Coinbase repository, according to Gil.
They may have chosen to act quickly because compromising this action could open up many other projects. This might explain why they launched the widespread attack just 20 minutes after Coinbase reduced the exposure on their end despite the increased risk of detection.