GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase

By /

Listen to this Post

Attackers aren’t just stealing secrets—they’re chaining Non-Human Identities (NHIs) in multi-stage campaigns to breach high-value targets. A recent update from Palo Alto researchers reveals a sophisticated NHI-based attack that went beyond a single compromised token, evolving into a full-blown multi-stage campaign.

How the Attack Unfolded:

1. Initial Compromise:

  • Attackers stole a Personal Access Token (PAT) from a maintainer of SpotBugs, a static analysis tool.
  • The stolen PAT was injected into a CI pipeline vulnerable to malicious GitHub Actions.

2. Lateral Movement:

  • The first PAT was used to push another malicious GitHub Action, which then stole a second maintainer’s PAT—this one had write access to reviewdog/action-setup, a widely used GitHub Action.
  • By compromising this Action, attackers gained access to `tj-actions/eslint-changed-files` and infected it.

3. Final Stage:

  • The final malicious Action was modified to expose GitHub Action secrets in logs, potentially impacting tens of thousands of repositories.
  • Instead of a broad attack, the hackers targeted Coinbase, a high-value cryptocurrency exchange.
  • Fortunately, no Coinbase secrets were exposed before the attack was stopped.

You Should Know:

1. Protecting GitHub PATs (Personal Access Tokens)

  • Rotate PATs regularly:
    List existing PATs (GitHub CLI required) 
gh api -H "Accept: application/vnd.github.v3+json" /user/tokens 
Revoke a compromised PAT 
gh api -X DELETE /user/tokens/<TOKEN_ID>
  • Restrict PAT permissions:
  • Use least privilege—only grant necessary repo/org access.
  • Enable IP allowlisting for PATs.

2. Securing GitHub Actions

  • Audit workflows for malicious code:
    List all workflows in a repo 
gh workflow list 
Inspect a specific workflow 
gh workflow view <WORKFLOW_ID> --yaml
  • Use `pull_request_target` carefully (avoid untrusted code execution).
  • Enable `read-only` for `GITHUB_TOKEN` where possible:
    permissions:
contents: read
actions: read

3. Detecting Malicious Log Exfiltration

  • Monitor workflow logs for secrets leakage:
    Search logs for exposed secrets (example regex) 
grep -rE "(token|secret|password).=" ./github/workflows/
  • Use GitHub’s Code Scanning & Dependabot to detect tampered Actions.

4. Mitigating NHI-Based Attacks

  • Implement Just-In-Time (JIT) access controls.
  • Use HashiCorp Vault or AWS Secrets Manager for dynamic secrets.
  • Monitor abnormal PAT usage:
    Check GitHub audit logs (Enterprise only) 
gh api /orgs/{org}/audit-log --paginate

What Undercode Say:

This attack highlights the danger of NHI chaining—where attackers pivot from one compromised token to another, escalating access. Defending against such threats requires:
– Strict PAT & OAuth app review
– Workflow sandboxing (e.g., GitHub’s job-level permissions)
– Real-time secrets scanning in CI/CD logs
– Zero-trust for automation identities

Linux & Windows Commands for Further Security:

  • Linux (Audit NHIs):
    List cron jobs (common NHI abuse vector) 
crontab -l 
Check active processes for suspicious tokens 
ps aux | grep -E "(token|key|secret)"
  • Windows (Detect Token Misuse):
    Check scheduled tasks (Windows equivalent of cron) 
Get-ScheduledTask | Where-Object { $_.State -ne "Disabled" } 
Audit PowerShell history for secrets 
type "$env:USERPROFILE\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"

Expected Output:

A hardened CI/CD pipeline with:

  • Rotated PATs
  • Restricted GitHub Actions permissions
  • Secrets scanning in logs
  • NHI monitoring

Source:

GitHub Actions Supply Chain Attack – Palo Alto Unit 42

References:

Reported By: Reverser Github – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: