GitHub Supply Chain Attack Tied to SpotBugs Access Token Theft

jinia
By -jinia
April 10, 2025

A widespread GitHub supply chain attack—first detected at Coinbase and later affecting multiple repositories—has now been traced back to the theft of a Personal Access Token (PAT) from SpotBugs, a popular static code analysis tool.


According to a new report from Palo Alto Networks' Unit 42, the attackers exploited vulnerabilities in SpotBugs' GitHub Actions workflows. This initial breach allowed them to move laterally across related repositories, ultimately compromising the widely-used reviewdog/action-setup.


🔍 Root Cause: SpotBugs GitHub Actions Workflow Compromise

The threat actors reportedly gained unauthorized access by exploiting GitHub Actions in SpotBugs’ CI/CD pipeline. This access enabled them to:


  • Compromise the SpotBugs maintainer’s PAT

  • Traverse through repositories until gaining access to reviewdog

  • Publish a malicious version of reviewdog/action-setup


This tampered package was unknowingly integrated into the tj-actions/changed-files GitHub Action—used by many organizations, including Coinbase.


🗓️ Timeline of the Attack

  • November 28, 2024: The SpotBugs maintainer used a personal access token in the GitHub workflow to troubleshoot CI/CD issues.

  • December 6, 2024: The attacker exploited the workflow using a malicious pull request that abused the pull_request_target trigger, resulting in a Poisoned Pipeline Execution (PPE) attack.

  • March 11, 2025: The attacker, using the alias "jurkaofavak", was added as a member to the spotbugs/spotbugs repository.

  • March 2025: The compromised tj-actions/changed-files Action was used in a CI/CD pipeline at Coinbase, leading to the broader discovery of the attack.


🚨 The Attack Chain: How It Unfolded

  1. The attacker submitted a pull request to the spotbugs/sonar-findbugs repo using the fake username "randolzfow".

  2. This triggered a workflow leak of the maintainer’s PAT due to insecure configuration (pull_request_target).

  3. With this access, the attacker pushed a malicious GitHub Actions workflow to the main spotbugs/spotbugs repository.

  4. That same access was then used to compromise reviewdog/action-setup, an Action widely used in the ecosystem.

  5. Since tj-actions/changed-files listed reviewdog/action-setup as a dependency, it became a vehicle for widespread distribution of the attack.



🤯 Questions Remain

Despite the clarity around the attack vector, one critical mystery remains: Why did the attackers wait three months after stealing the token before using it?


Unit 42 researchers suspect they were strategically waiting to compromise a high-value target, such as Coinbase, before triggering their payload.

 

“Having invested months of effort and achieved so much access, why did the attackers log secrets—thereby revealing the attack?”
Unit 42, Palo Alto Networks


✅ Response & Mitigation

  • The SpotBugs maintainer has confirmed the PAT was used both in the workflow and to invite the rogue account.

  • All access tokens and secrets have since been revoked and rotated.

  • GitHub repositories involved in the incident are undergoing security audits and updates to CI/CD best practices.


🔐 Key Takeaways

  • CI/CD pipelines remain a lucrative target for threat actors.

  • Misconfigured GitHub Actions (especially pull_request_target) can open dangerous security holes.

  • Token hygiene—avoiding hardcoded secrets and rotating them regularly—is essential for repository security.

  • The attack underscores the importance of supply chain security and dependency monitoring in open-source ecosystems.

Tags:

You Might Like

Show more
Open Source
Share to other apps
Copy Post Link