Coinbase fends off targeted GitHub Action attack in early-stage breach attempt

Security experts claim that the publicly listed exchange Coinbase was the primary target in the GitHub Action supply chain attack. According to the cybersecurity firms analyzing the incident, the attacker initially tried to compromise the Coinbase open-source project agentkit.

It was only after they failed at this that they decided to attack GitHub action and target several repositories. Per the reports, the attacker was likely focusing on the Coinbase project so they could use it to access the exchange ecosystem and steal crypto assets.

However, they failed to achieve their aim as Coinbase also detected the attack on time and mitigated its impact. According to cybersecurity firm Wiz, its analysis of GitHub identities used in the attack shows that the attacker is active in the crypto community and likely operates from Europe or Africa.

Although Coinbase has not publicly commented on the incident, experts claim the exchange has confirmed that it resolved it. Expert analysis showed malicious actors injected code into “tj-actions/changed-files” to leak sensitive data from repositories running the workflow.

With Coinbase stopping the targeted attack, it appeared the bad actor decided to target the popular GitHub Action with a supply chain attack. Endor Labs discovered that the attack compromised 218 GitHub repositories, forcing them to reveal their secrets.

However, the majority of the leaked information was the credentials for Amazon Web Services, npm, Dockerhub, and GitHub access install tokens. This meant the impact was smaller than earlier feared as most of the leaked secrets were GitHub tokens that expired after the workflow run was completed.

Endor Labs researcher Henrik Plate said:

“The initial scale of the supply chain attack sounded scary, considering that tens of thousands of repositories depend on the GitHub Action.”

Meanwhile, security experts are also examining the motive of the attack. Many believe that the goal was likely to steal crypto assets from Coinbase. However, Coinbase remedying the incident on time might have led the attacker to change their approach from a stealth-targeted attack to a large-scale attack so that they could compromise many projects.

Crypto projects remain under threat

Meanwhile, the failed attack highlights the constant threats against crypto projects. SlowMist founder Yu Jian, who shared the incident on X, said that if the attack had happened, Coinbase would have become the next major security incident report.

His statement references the recent $1.5 billion hack of the ByBit exchange in February 2025. Jian added that companies that use tj-actions or reviewdog need to conduct a self-examination to ensure their secrets have not been leaked.

Interestingly, supply chain attacks such as this have led to massive losses before. In 2024, one user lost 10 BTC valued at $725,000 to an attack exploiting the updates to the Lottie Player npm package, a Java-script animation library that several decentralized applications use.

Beyond that, security exploits in different forms remain common in the Web3 space. A few days ago, restaking assets for real-world assets, ZOTH lost over $8 million due to modification of its logic contract with malicious code after the bad actor gained admin privileges.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot