The GitHub Action” tj-actions/changed-files” supply chain attack began as a highly targeted assault against one of Coinbase’s open-source jobs before becoming more popular in scope.
According to a report from Palo Alto Networks Unit 42,” the payload was focused on exploiting one of their open source projects ‘ open CI/CD flow, perhaps with the intention of using it for further compromises.” The perpetrator was unable to post packages or use Ethereum secrets, the attacker continued.
On March 14, 2025, it was discovered that” tj-actions/changed-files” had been hacked to add code that leaked sensitive information from repository managers who executed the procedure. It has been assigned the CVE identifier ( CVSS score: 8.6).
According to Endor Labs, 218 GitHub repositories are thought to have been the subject of the supply chain attack, and the majority of the leaked information includes “few dozen” Docker Hub, npm, and Amazon Web Services ( AWS), as well as GitHub install access tokens.
According to safety scientist Henrik Plate,” the original size of the supply chain attack sounded frightening, given that tens of thousands of repositories depend on the GitHub Action.”
” On the other hand, looking deeper into the workflows, their runs, and leaked secrets shows that the real effect is less severe than expected:” Just ‘218 repositories leaked secrets, and the majority of those are short-lived GITHUB_TOKENs, which expire after a procedure run is finished.
Since then, it has become known that the v1 tag of a different GitHub Action called “reviewdog/action-setup,” which” tj-actions/changed-files” relies on as a dependency via” tj-actions/eslint-changed-files” and was also compromised in the run-up to the tj-actions incident with a comparable payload. The is being tracked as ( CVSS score: 8.6).
According to reports, the unnamed threat actor was able to use CVE-2025-30154 to allow them to change the repository and push the malicious code, which would have affected every GitHub repository that was dependent on the action. This is said to have happened as a result of the exploitation of CVE-2025-30154.
When the tj-actions/eslint-changed-files action was carried out, the tj-actions/changed-files CI runner’s secrets were leaked, allowing the attackers to access the runner’s credentials, including a Personal Access Token ( PAT ) belonging to the tj-bot-actions GitHub user account, according to Unit 42 researchers Omer Gil, Aviad Hahami, Asi Greenholts,
The attacker is already alleged to have managed to get create access to the reviewdog organization and access a token in order to perform the rogue alterations. Having said that, it is still unknown how this gift might have been acquired.
Additionally, it is said that the harmful commits to “reviewdog/action-setup” were carried out by first shelling the corresponding repository, making changes there, creating a spoon pull request to the original repository, before finally introducing subjective commits, a practice known as a swinging commit.
According to Gil, Senior Research Manager at Palo Alto Networks,” The attacker used various methods to conceal their songs, including leveraging dangling performs, creating multiple temporary GitHub user accounts, and obfuscating their actions in workflow reports (especially in the initial Coinbase attack ),”” The attacker took significant actions to conceal their songs,” according to Gil, Senior Research Manager at Palo Alto Networks. These findings demonstrate that the attacker is highly skilled and well-versed in CI/CD security threats and attack strategies.
According to Unit 42, the user account responsible for the fork pull request “iLrmKCu86tjwp8” may have been hidden from the public after the attacker switched from a legitimate email address provided during registration to a disposable ( or anonymous ) email, in violation of Git Hub’s policy.
This could have resulted in the user concealing all the interactions and actions they performed. However, when reached for comment, GitHub stated that it is actively reviewing the situation and taking steps as necessary, but did not confirm or refute the hypothesis.
There is currently no proof that GitHub or its systems have been compromised. The projects highlighted are “user-maintained open-source projects,” a GitHub spokesman told The Hacker News.
In accordance with Git Hub’s Acceptable Use Policies, it continues to review and take action on user reports relating to repository contents, including malware and other malicious attacks. Before updating to new versions, users should always check GitHub Actions or any other package that they are using in their code. That is the same as it is for all other instances of using third party code.
Two additional accounts,” 2ft2dKo28UazTZ” and “mmvojwip,” both of which have since been deleted from the platform, have been discovered through a deeper search for GitHub forks of tj-actions/changed-files. Additionally, it has been discovered that both accounts created forks of Coinbase-related repositories like onchainkit, agentkit, and x402.
The accounts altered the” changelog,” according to further investigation. using a fork pull request, the agentkit repository’s” tj-actions/changed-files” file in a “yml” file points to a malicious version of one that was previously released using the PAT.
The attacker is alleged to have used the tj-actions/changed-files GitHub Actions to perform the unauthorized changes by obtaining a GitHub token with write permissions for the agentkit repository.
The differences in the payloads used in both cases, which suggests that the attacker is trying to stay under the radar, are another important factor to be aware of.
” The attacker used various payloads throughout the attack. In the widespread attack, Gil cited the attacker who “dumped the runner’s memory and printed environment variables to the workflow’s log, regardless of which workflow was being run.”
” However, when attempting to attack Coinbase, the attacker specifically fetched the GITHUB_TOKEN and made sure that the payload would only run if the repository belonged to Coinbase.”
Given the hyper-specific targeting of Coinbase, Gil noted, it’s” strongly” suspected that the intention was financial gain, likely attempting to conduct cryptocurrency theft. It’s not known what the end goal of the campaign was. The cryptocurrency exchange has recovered the attack as of March 19, 2025.
What caused the attacker to switch gears, turning what was initially a targeted attack into a significant and less secret campaign, is unknown.
” One theory is that the attacker feared losing access to the tj-actions/changed-files action after realizing they could not use their token to poison the Coinbase repository,” Gil said.
They may have chosen to act quickly because compromising this action could open the door to many more projects. This could explain why they launched the widespread attack just 20 minutes after Coinbase reduced the exposure to their end despite the increased detection risk.