More than 200 GitHub repositories had their secrets exposed in a supply chain attack against tj-actions/changed-files that was originally aimed at major U.S. cryptocurrency exchange Coinbase as a result of an exfiltrated SpotBugs workflow token, BleepingComputer reports.
After the inclusion of SpotBugs maintainer's Personal Action Token into a CI workflow in late November, attackers moved to exfiltrate the PAT through the exploitation of a vulnerable 'pull_request_target' workflow in early December before using the stolen PAT to pilfer another PAT that eventually enabled repository secret exposure last month, an analysis from Palo Alto Networks Unit 42 researchers revealed. Such an attack which has not impacted any Coinbase repositories following immediate action upon knowledge of the attempted hack emphasizes various issues in open-source repositories and the GitHub Action ecosystem, which should prompt the immediate rotation of all secrets across GitHub projects and repositories using the impacted actions, as well as the evaluation of GitHub Actions logs between Mar. 10 and 14.
