The supply chain attack leveraging the GitHub Action “tj-actions/changed-files” began as a focused assault on one of Coinbase’s open-source projects before rapidly escalating into a broader incident.
According to a report from Palo Alto Networks Unit 42, the initial payload targeted the continuous integration/continuous deployment (CI/CD) pipeline of Coinbase’s open-source project, agentkit. The goal appeared to be to use the breach as a stepping stone for further intrusions, though the attackers did not succeed in extracting Coinbase secrets or publishing any packages.
The incident was first identified on March 14, 2025, when it was discovered that “tj-actions/changed-files” had been compromised to inject malicious code that leaked sensitive secrets from repositories executing the workflow. This vulnerability has been designated as CVE-2025-30066, with a CVSS score of 8.6.
Endor Labs estimates that 218 GitHub repositories had their secrets exposed due to this supply chain attack. The majority of the compromised data included several dozen credentials for services such as DockerHub, npm, and Amazon Web Services (AWS), along with GitHub install access tokens.
Security researcher Henrik Plate commented on the scale of the attack, noting, “The initial scale of the supply chain attack sounded scary, considering that tens of thousands of repositories depend on the GitHub Action. However, a closer examination reveals that the actual impact is limited: ‘Only’ 218 repositories leaked secrets, and most of these were ephemeral GITHUB_TOKENs that expire after a workflow run completes.”
Adding another layer of complexity, it has emerged that the v1 tag of another GitHub Action, “reviewdog/action-setup”—a dependency of “tj-actions/eslint-changed-files”—was also compromised shortly before the tj-actions incident. This breach, tracked as CVE-2025-30154 (CVSS score: 8.6), appears to have enabled the attacker to acquire a personal access token (PAT) associated with “tj-actions/changed-files.” With this PAT, the threat actor modified the repository and injected the malicious payload, ultimately affecting all GitHub repositories that relied on this action.
Unit 42 researchers explained that when the “tj-actions/eslint-changed-files” action was executed, the compromised CI runner’s secrets were exposed, allowing attackers to steal the credentials—including a PAT linked to the tj-bot-actions GitHub account. It is suspected that the attacker gained access to a token with write permissions to the reviewdog organization, though the method of acquisition remains unclear.
The malicious commits to “reviewdog/action-setup” were executed by forking the repository, making changes in the fork, and then submitting a pull request to the original repository—a technique known as a dangling commit. Senior Research Manager Omer Gil from Palo Alto Networks noted that the attacker went to great lengths to hide their tracks, using dangling commits, creating multiple temporary GitHub accounts, and obfuscating their actions in workflow logs, particularly during the initial Coinbase attack. Gil speculated that the user account behind the fork pull request, “iLrmKCu86tjwp8,” may have concealed its identity by switching from a verified email to an anonymous, disposable one, in violation of GitHub’s policies. GitHub has neither confirmed nor denied this hypothesis, stating only that it is actively reviewing the situation and will take action as needed.
GitHub emphasized that there is no evidence suggesting a compromise of its own systems; the affected projects are user-maintained open-source projects. The company continues to monitor reports related to repository content, including malware and other malicious activities, in accordance with its Acceptable Use Policies. GitHub advises users to carefully review GitHub Actions and other third-party packages before updating to new versions.
Further investigation uncovered two deleted GitHub accounts, “2ft2dKo28UazTZ” and “mmvojwip,” which had created forks of Coinbase-related repositories such as onchainkit, agentkit, and x402. These accounts modified the “changelog.yml” file in the agentkit repository through a fork pull request, redirecting it to a malicious version of “tj-actions/changed-files” published earlier using the compromised PAT. It is believed the attacker leveraged a GitHub token with write access to the agentkit repository, obtained through the compromised GitHub Action, to execute these unauthorized changes.
An important nuance in the attack was the use of different payloads at various stages. Gil explained, “In the widespread attack, the attacker dumped the runner’s memory and printed secrets stored as environment variables to the workflow log, regardless of which workflow was running. However, when targeting Coinbase, the payload was designed to fetch the GITHUB_TOKEN and only execute if the repository belonged to Coinbase.” This hyper-specific targeting suggests that the attacker’s ultimate goal may have been financial gain, possibly attempting cryptocurrency theft given the focused assault on Coinbase. As of March 19, 2025, Coinbase has remediated the incident.
The switch from a targeted attack on Coinbase to a broader campaign may have been driven by the attacker’s realization that they could not exploit the Coinbase repository—especially after Coinbase detected and mitigated the breach. Fearing loss of access to the vulnerable “tj-actions/changed-files” action, the attacker appears to have quickly broadened their campaign, launching the widespread attack just 20 minutes after Coinbase’s response, despite the increased risk of detection.
