A recent supply chain attack targeting GitHub Actions has compromised the secrets of 218 repositories, with Coinbase identified as the primary target. The attack exploited vulnerabilities in popular GitHub Actions, leading to the potential exposure of sensitive CI/CD secrets across numerous projects.
Key Takeaways
Coinbase was the main target of the attack, although it reported no successful breaches.
The attack involved the compromise of the reviewdog/action-setup@v1 GitHub Action.
A total of 218 repositories were confirmed to have exposed secrets, despite over 23,000 using the affected action.
The exposed secrets included GitHub tokens and other sensitive information, with some being short-lived.
Overview of the Attack
The attack began on March 14, 2025, when malicious code was injected into the GitHub Action. This action is widely used for code review processes and was modified to dump CI/CD secrets into workflow logs. The compromised action was then utilized by the action, which is employed by over 23,000 repositories.
The attackers managed to obtain a GitHub personal access token (PAT) that allowed them to push a malicious commit to the action. This commit was specifically designed to expose secrets from the CI/CD workflows of projects, including those belonging to Coinbase.
Impact on Coinbase
Coinbase's project was directly targeted during the attack. The malicious commit allowed the attackers to gain write access to the repository, but Coinbase later confirmed that the attack did not result in any damage or loss of assets. The company stated that their security measures prevented any successful exploitation of the exposed secrets.
Scope of the Breach
While the attack affected a large number of repositories, only 218 were confirmed to have leaked secrets. The majority of these secrets were short-lived tokens that expire after a single workflow run. However, some repositories also exposed more sensitive credentials, including those for DockerHub, npm, and AWS.
Total Repositories Using Affected Action: 23,000
Repositories Exposed: 218
Repositories Running Workflows During Attack: 614
Repositories with Secrets Printed to Logs: 218
Recommendations for Affected Users
Organizations that may have been impacted by this attack are advised to take immediate action:
Rotate Secrets: Change any secrets that were used during the attack timeframe (March 14-15).
Review Workflows: Check for unexpected outputs in the logs, particularly under the 'changed-files' section.
Update References: Ensure that workflows reference specific commit hashes instead of mutable tags to prevent future vulnerabilities.
Implement Security Best Practices: Utilize GitHub's allow-listing feature to restrict unauthorized actions and review third-party actions before use.
The GitHub Actions supply chain attack highlights the vulnerabilities inherent in widely used automation tools. While Coinbase managed to avert significant damage, the incident serves as a reminder for organizations to strengthen their security protocols and remain vigilant against potential threats in the software supply chain.
As cybercriminals continue to adapt their strategies, awareness and education remain crucial in combating these threats. Cybersecurity is critical. BetterWorld Technology offers cutting-edge solutions to combat evolving threats while driving innovation. Protect your business with confidence—contact us today for a consultation!
Sources
GitHub Action hack likely led to another in cascading supply chain attack, BleepingComputer.
Coinbase was primary target of recent GitHub Actions breaches, BleepingComputer.
Impact, Root Cause of GitHub Actions Supply Chain Hack Revealed, SecurityWeek.
Supply chain attack on popular GitHub Action exposes CI/CD secrets, BleepingComputer.
GitHub Action supply chain attack exposed secrets in 218 repos, BleepingComputer.