Coinbase exchange was the first target in the recent GitHub Actions supply chain attack, according to cybersecurity firms Palo Alto Networks Unit 42 and Wiz.
The first signs of the attack showed up on March 14, 2025, when the attacker found a weakness in tj-actions/changed-files, a tool used in GitHub, and tried to use it to break into Coinbase’s open-source project, AgentKit. But Coinbase caught on quickly and stopped them. After that, the hacker switched tactics and went after thousands of other repositories instead.
Before launching the attack, the hacker made more than 20 test attempts with different kinds of code. Once Coinbase shut them down, they decided to try another approach. They target all versions of tj-actions/changed-files.
The attack put over 23,000 repositories at risk, but Unit 42 believes the actual number could be even higher. Wiz, another security firm, looked into the hacker’s identity and found that they are likely an active crypto community member, probably based in Europe or Africa. Coinbase hasn’t made an official statement, but experts say they successfully stopped the attack before any serious damage was done.
Since breaking into Coinbase didn’t work, the hacker changed plans and targeted a much larger group of GitHub users. Endor Labs, another cybersecurity company, discovered that at least 218 repositories had been affected. This led to leaks of AWS, npm, Dockerhub, and GitHub access tokens, basically, login details for developer tools. Fortunately, most of the leaked tokens expired quickly, so the damage wasn’t as bad as it could have been.
Endor Labs researcher Henrik Plate said the attack seemed really intense at first, but Coinbase’s quick response likely forced the hacker to switch targets.
Yu Jian, the founder of SlowMist, warned that had this attack been successful, it would have been as disastrous as the ByBit hack in February 2025,
Yu Jian, founder of SlowMist, warned that if this attack had worked, it could have been as bad as the ByBit hack in February 2025, where hackers made off with $1.5 billion. He advised firms that use GitHub tools like tj-actions to carry out regular security checks to avoid being the next target.
