Recent GitHub supply chain attack traced to leaked SpotBugs token

A cascading supply chain attack on GitHub that targeted Coinbase in March has now been traced back to a single token stolen from a SpotBugs workflow, which allowed a threat actor to compromise multiple GitHub projects. The popular static analysis tool SpotBugs was breached in November 2024, leading to the compromise of Reviewdog, which subsequently led to the infection of tj-actions/changed-files. The multi-step supply chain attack eventually exposed secrets in 218 repositories, while the latest findings showed that the threat actors were initially attempting to breach projects belonging to the cryptocurrency exchange Coinbase. The start of the attack, which has remained unknown so far, was discovered by Palo Alto Networks' Unit 42 researchers who added an update yesterday on their original analysis of the incident. The cascading supply chain attack We now know that the supply chain attack started in late November 2024 when a SpotBugs maintainer (SPTBHS_MNTNR) added their Personal ... Read full article.