Coinbase Fends Off Sophisticated GitHub Attack, 218 Repos Compromised
Coinbase, a leading cryptocurrency exchange, successfully defended against a sophisticated attack targeting its GitHub projects in March 2025. The incident, given the CVE number CVE-2025-30066, compromised 218 repositories and exposed sensitive secrets.
The attack began in November 2024 when an unknown threat actor gained unauthorized access to spotbugs. This led to the compromise of reviewdog and tj-actions/changed-files. The attacker's ultimate goal was Coinbase's open-source agentkit project, aiming to use it as a stepping stone for further actions.
Coinbase thwarted the attacker's plan by promptly removing the malicious workflow on March 14, 2025. However, the attacker had already infiltrated the reviewdog/action-setup GitHub project, inserting a malicious backdoor. This backdoor allowed the attacker to print CI/CD secrets in GitHub Actions build logs, affecting 218 repositories. The compromised tj-actions/changed-files action was responsible for this exposure.
The incident was traced back to the theft of a single token from a spotbugs workflow. Despite initial fears of 23,000 repositories being at risk, only 218 were ultimately affected. The US CISA's Known Exploited Vulnerabilities catalog now includes this incident.
The attack on Coinbase's GitHub projects highlights the importance of vigilance and prompt response in cybersecurity. While the responsible party remains unknown, the incident serves as a reminder of the potential risks in open-source supply chains. Coinbase's swift action limited the damage, with only 218 repositories compromised out of the initially feared 23,000.
