In a recent cybersecurity incident, a supply chain attack that initially targeted Coinbase and later expanded to affect users of the tj-actions/changed-files GitHub Action has been traced back to the theft of a personal access token (PAT) associated with SpotBugs, a widely-used open-source tool for static code analysis.
Palo Alto Networks’ Unit 42 revealed that attackers exploited the GitHub Actions workflow of SpotBugs to gain initial access. This exploitation allowed them to move laterally across SpotBugs repositories until they accessed reviewdog, another open-source project. Evidence suggests that the malicious activities began as early as November 2024, although the attack on Coinbase occurred in March 2025.
The investigation uncovered that the compromise of reviewdog’s GitHub Action resulted from a leaked PAT belonging to the project’s maintainer. This leak enabled threat actors to push a malicious version of reviewdog/action-setup, which was subsequently incorporated by tj-actions/changed-files due to its dependency on tj-actions/eslint-changed-files.
Further analysis revealed that the maintainer of reviewdog was also involved with SpotBugs. Attackers introduced a malicious GitHub Actions workflow file into the spotbugs/spotbugs repository using a disposable account named jurkaofavak. When this workflow executed, it exposed the maintainer’s PAT. This same PAT provided access to both spotbugs/spotbugs and reviewdog/action-setup, facilitating the poisoning of reviewdog/action-setup.
Unit 42 noted that the attacker possessed write permissions in the spotbugs/spotbugs repository, enabling them to push a branch and access continuous integration (CI) secrets. The write permissions were obtained when jurkaofavak was invited to the repository by a SpotBugs maintainer on March 11, 2025.
The attackers initially forked the spotbugs/sonar-findbugs repository and submitted a pull request under the username randolzfow. On November 28, 2024, the SpotBugs maintainer modified a workflow in spotbugs/sonar-findbugs to use their own PAT due to technical issues in the CI/CD process. On December 6, 2024, the attacker submitted a malicious pull request to spotbugs/sonar-findbugs, exploiting a GitHub Actions workflow triggered by pull_request_target.
The pull_request_target trigger allows workflows from forks to access secrets, in this case, the PAT, leading to a poisoned pipeline execution attack. The SpotBugs maintainer confirmed that the PAT used in the workflow was the same token later used to invite jurkaofavak to the spotbugs/spotbugs repository. The maintainer has since rotated all tokens and PATs to revoke and prevent further unauthorized access.
This incident underscores the critical importance of securing access tokens and implementing robust security measures in CI/CD workflows to prevent supply chain attacks.
