Crypto Exchange Coinbase Targeted in Sophisticated GitHub Cyberattack

In a revealing development, researchers have pinpointed crypto exchange Coinbase as the primary focus of a meticulously orchestrated supply chain attack targeting GitHub Actions. This breach compromised sensitive credentials across hundreds of repositories, spotlighting vulnerabilities in widely used development tools.

GitHub Actions, for those unfamiliar, is a platform feature that automates workflows, allowing developers to build, test, and deploy code directly within GitHub repositories. Its widespread adoption makes it a critical cog in modern software development, but also a potential target for exploitation. According to detailed investigations by Palo Alto Unit 42 and Wiz, the assault leveraged a popular GitHub Action, exposing critical weaknesses in the software supply chain that powers countless projects, including those tied to Coinbase.

The attack’s origins trace back to the infiltration of a specific GitHub Action known as reviewdog/action-setup@v1. Though the exact entry point remains shrouded in mystery, researchers found that malicious code was subtly inserted into this action, enabling it to siphon CI/CD secrets and authentication tokens directly into GitHub Actions logs.

This initial breach set off a chain reaction, pulling in another action, tj-actions/eslint-changed-files, which unwittingly executed the tainted reviewdog component. As a result, its secrets were similarly exposed, creating an opening for attackers to escalate their operation. From there, the perpetrators seized a Personal Access Token, using it to embed a malicious commit within the tj-actions/changed-files action, further amplifying the theft of sensitive data across connected projects.

What stands out in this campaign is its deliberate targeting. The malicious commit was crafted with precision, zeroing in on Coinbase’s projects alongside an account tagged as “mmvojwip,” believed to be linked to the attacker. Coinbase, a prominent name in the crypto space, relies on tools like its coinbase/agentkit—a framework designed to enable artificial intelligence agents to interact with blockchain systems—which became a key point of exploitation in this breach.

How Coinbase Became the Focal Point

The tj-actions/changed-files action, utilized by over 20,000 projects, served as a broad net for the attackers, but Coinbase’s infrastructure was clearly in their crosshairs. The coinbase/agentkit workflow, for instance, executed the compromised action, inadvertently granting the attackers a GitHub token with Write access to the repository.

Palo Alto Unit 42 notes that this token was secured on March 14, 2025, at 15:10 UTC, a mere two hours before the attack expanded to ensnare the wider tj-actions/changed-files ecosystem. This timeline underscores the speed and coordination behind the operation, highlighting Coinbase as the linchpin of the initial strike.

Despite the breach’s sophistication, Coinbase has stated that the attack failed to inflict any tangible harm. After Unit 42 shared its findings, the company reviewed the incident and confirmed that neither the agentkit project nor any other assets were compromised. This resilience suggests robust internal safeguards, though the episode still raises questions about the broader security of open-source tools integral to the tech and crypto industry.

The attackers, perhaps anticipating resistance, shifted tactics after their Coinbase-focused gambit faltered, broadening their scope to all projects tied to the changed-files action. In the end, while 23,000 repositories used this action, only 218 ultimately fell victim to the breach, a relatively contained outcome given the potential scale.