The recent supply chain attack that began with a focus on Coinbase has been traced back to the compromise of a personal access token (PAT) connected to the SpotBugs project. Palo Alto Networks’ Unit 42 reported that attackers initially exploited the GitHub Actions workflow of SpotBugs, which is widely used for static code analysis, thereby facilitating lateral movement within the SpotBugs repositories until they gained access to another project called reviewdog.
Evidence indicates that the malicious activity can be traced back to November 2024, although the attack on Coinbase occurred in March 2025. Unit 42’s findings revealed that the reviewdog GitHub Action was compromised due to a leaked PAT from its maintainer. This lapse allowed the attackers to deploy a rogue version of "reviewdog/action-setup," which was subsequently adopted by the "tj-actions/changed-files" due to dependency listings from another action.
The investigation also discovered that the maintainer was involved in SpotBugs, enabling attackers to push a malicious workflow file to the SpotBugs repository using a disposable username. This led to the leakage of the maintainer’s PAT during workflow execution. The compromised token provided access not only to SpotBugs but also to reviewdog, making it a crucial point of exploitation.
The attackers had somehow gained an account with write permissions to the SpotBugs repository, allowing them to push a rogue branch and access continuous integration (CI) secrets. It was later revealed that the malicious user, "jurkaofavak," was invited to become a member of the repository by one of the project maintainers back in March 2025.
This invitation was linked to a fork of the "spotbugs/sonar-findbugs" repository, which created a malicious pull request that exploited GitHub Actions workflows using the "pull_request_target" trigger. This allowed the workflow running from forks to access sensitive secrets, resulting in a poisoned pipeline execution.
The SpotBugs maintainer confirmed that the same PAT used in the malicious workflow was later leveraged to invite the harmful user. To mitigate further risks, the maintainer has since rotated all tokens and PATs.
An intriguing aspect of this incident is the time lapse between the PAT leakage and its actual abuse, occurring over a three-month period. Analysts suggest that the attackers may have been monitoring dependencies linked to "tj-actions/changed-files" before pivoting toward higher-value targets like Coinbase.
Unit 42 researchers are left wondering why, after months of effort, the attackers exposed their secrets in logs, inadvertently revealing parts of their attack strategy.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.