GitHub Action attack initially set sights on Coinbase
Cybersecurity Dive reports that major U.S. cryptocurrency exchange Coinbase was disclosed by Palo Alto Networks Unit 42 and Wiz researchers to have been originally targeted by the supply chain compromise that was eventually aimed at the GitHub Action tj-actions/changed-files, tracked as CVE-2025-30066.
More than two dozen commits with different payloads have been published by the threat actors before they proceeded with the more widespread attack, according to the Unit 42 report. "After Coinbase detected and mitigated the issue on their end, the attacker decided to perform the widespread attack by affecting all tag versions of tj-action/changed-files," said Palo Alto Network Senior Research Manager Omer Gil. While over 23,000 repositories were found to be vulnerable to the large-scale intrusion, Unit 42 researchers noted that the attack toll could be much higher. Such a development comes after Endor Labs reported that only 218 GitHub repositories had their secrets, including GitHub install action tokens, as well as Docker, npm, and AWS credentials, exposed as a result of the tj-actions/changed-files attack.
Cybersecurity Dive reports that major U.S. cryptocurrency exchange Coinbase was disclosed by Palo Alto Networks Unit 42 and Wiz researchers to have been originally targeted by the supply chain compromise that was eventually aimed at the GitHub Action tj-actions/changed-files, tracked as CVE-2025-30066.
More than two dozen commits with different payloads have been published by the threat actors before they proceeded with the more widespread attack, according to the Unit 42 report. "After Coinbase detected and mitigated the issue on their end, the attacker decided to perform the widespread attack by affecting all tag versions of tj-action/changed-files," said Palo Alto Network Senior Research Manager Omer Gil. While over 23,000 repositories were found to be vulnerable to the large-scale intrusion, Unit 42 researchers noted that the attack toll could be much higher. Such a development comes after Endor Labs reported that only 218 GitHub repositories had their secrets, including GitHub install action tokens, as well as Docker, npm, and AWS credentials, exposed as a result of the tj-actions/changed-files attack.
