Market News

Coinbase was Primary target in GitHub Attack: Cybersecurity firms

Written By:
Iyiola Adrian

Reviewed By:
Jahnu Jagtap

Coinbase Was Primary Target In Github Attack Cybersecurity Firms

Coinbase exchange was the first target in the recent GitHub Actions supply chain attack, according to cybersecurity firms Palo Alto Networks Unit 42 and Wiz. 

The first signs of the attack showed up on March 14, 2025, when the attacker found a weakness in tj-actions/changed-files, a tool used in GitHub, and tried to use it to break into Coinbase’s open-source project, AgentKit. But Coinbase caught on quickly and stopped them. After that, the hacker switched tactics and went after thousands of other repositories instead.

Coinbase Escapes Cyber Attack
Coinbase escapes cyber attack | Source: X

Before launching the attack, the hacker made more than 20 test attempts with different kinds of code. Once Coinbase shut them down, they decided to try another approach. They target all versions of tj-actions/changed-files. 

The attack put over 23,000 repositories at risk, but Unit 42 believes the actual number could be even higher. Wiz, another security firm, looked into the hacker’s identity and found that they are likely an active crypto community member, probably based in Europe or Africa. Coinbase hasn’t made an official statement, but experts say they successfully stopped the attack before any serious damage was done.

Since breaking into Coinbase didn’t work, the hacker changed plans and targeted a much larger group of GitHub users. Endor Labs, another cybersecurity company, discovered that at least 218 repositories had been affected. This led to leaks of AWS, npm, Dockerhub, and GitHub access tokens, basically, login details for developer tools. Fortunately, most of the leaked tokens expired quickly, so the damage wasn’t as bad as it could have been.

Endor Labs researcher Henrik Plate said the attack seemed really intense at first, but Coinbase’s quick response likely forced the hacker to switch targets. 

Yu Jian, the founder of SlowMist, warned that had this attack been successful, it would have been as disastrous as the ByBit hack in February 2025,

Yu Jian, founder of SlowMist, warned that if this attack had worked, it could have been as bad as the ByBit hack in February 2025, where hackers made off with $1.5 billion. He advised firms that use GitHub tools like tj-actions to carry out regular security checks to avoid being the next target.

Also Read: Crypto Trader Loses $215K in MEV Sandwich Attack

TAGGED:
Avatar Of Iyiola Adrian
By Iyiola Adrian
Iyiola is an experienced crypto writer specializing in simplifying complex blockchain and cryptocurrency topics for a broad audience. With expertise in ICOs, DeFi, NFTs, and regulatory updates, he offers valuable insights to help readers make informed decisions. He is proficient in SEO optimization.
Avatar Of Jahnu Jagtap
By Jahnu Jagtap
Follow:
Jahnu Jagtap, a crypto enthusiast since 2020. Loves to guide others to understand blockchains, crypto currencies, NFTs, Metaverse and everything in Web3. He is passionate about his work and never stops his research on crypto.

2025 Crypto Playbook:
Trends, Predictions and Investment Strategies

Get our Exclusive Report Today!

    Built with Kit

    Latest News

    Solana Defi Protocol Suffers $5.8M Exploit Weeks After Launch
    Solana DeFi Protocol Suffers $5.8M Exploit Weeks After Launch
    Nike Sued Over Closure Of Crypto Business Linked To Nfts
    Nike Sued Over Closure of Crypto Business Linked to NFTs
    Ton Announces Toncoin Bridge Shutdown On May 10, 2025
    TON Announces Toncoin Bridge Shutdown on May 10, 2025
    Brazil Becomes First Country To Launch Spot Xrp Etf
    Brazil Becomes First Country to Launch Spot XRP ETF
    Defi Development Co., ‘Mstr Of Solana,’ Files $1B Sec Offering
    DeFi Development Co., ‘MSTR of Solana,’ Files $1B SEC Offering

    Find Us on Socials

    You may also like