- Researchers claim primary target of a recent cascading supply chain attack was Coinbase
- The cryptocurrency exchange was not compromised, but hundreds of other projects might suffer
- The attack went through a GitHub Action tool
The endgame of the recent cascading supply chain attack on GitHub was to breach Coinbase, one of the world’s most popular centralized cryptocurrency exchanges, experts have claimed.
Cybersecurity researchers Unit 42 (Palo Alto), and Wiz, revealed the attack, noting although Coinbase successfully defended itself, it is difficult to deem the attack a failure, since hundreds of other projects suffered as collateral damage.
Coinbase claims no damage was done - however, 218 other repositories are thought to have been impacted as a result of this attack.
No damage to Coinbase
A cascading supply chain attack is a cyberattack where compromising one component, such as a software dependency or tool, triggers a chain reaction that spreads the breach to multiple connected systems or projects.
In this case, cybercriminals tampered with a small tool, a GitHub Action called reviewdog/action-setup@v1. It is a popular tool that helps automate tasks in software projects. How they breached this Action wasn’t revealed, but the attackers managed to get the tool to leak certain access codes into publicly visible logs.
They then used these codes to inject more malicious code into another widely used tool, called tj-actions/changed-files. This tool is part of Coinbase's development process, and by doing so, they tried to move into the exchange’s code repository, gain deeper access, and wreak more havoc.
"The attacker obtained a GitHub token with write permissions to the coinbase/agentkit repository on March 14, 2025, 15:10 UTC, less than two hours before the larger attack was initiated against tj-actions/changed-files," Palo Alto Unit 42 said.
"We followed up by sharing more details of our findings with Coinbase, which stated that the attack was unsuccessful at causing any damage to the agentkit project, or any other Coinbase asset," the researchers added.
Once the threat actors realized their attack against Coinbase was unsuccessful, they pivoted to other projects, the researchers said. We don’t know if any other attacks were more fruitful for the criminals.
Via BleepingComputer
You might also like
- This VPN is being abused to spread malware
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
