Coinbase was primary target of recent GitHub Actions breaches

Researchers have determined that Coinbase was the primary target in a recent GitHub Actions cascading supply chain attack that compromised secrets in hundreds of repositories. According to new reports from Palo Alto Unit 42 and Wiz, the attack was carefully planned and began when malicious code was injected into reviewdog/action-setup@v1 GitHub Action. It is unclear how the breach occurred, but the threat actors modified the action to dump CI/CD secrets and authentication tokens into GitHub Actions logs. As previously reported, the first stage of the breach involved the compromise of the reviewdog/action-setup@v1 GitHub Action. It is unclear how the breach occurred, but when a related GitHub Action, tj-actions/eslint-changed-files , invoked the reviewdog action, causing its secrets to be dumped to workflow logs. This allowed the threat actors to steal a Personal Access Token that was then used to push a malicious commit to the tj-actions/changed-files GitHub Action that once again d ... Read full article.