A stolen SpotBugs token led to a major GitHub Actions supply chain breach. The attack, which came to light in March 2025, actually started months earlier. According to Palo Alto Networks, the incident can be traced back to a compromised personal access token (PAT) from December 2024.
Malicious Pull Request Was the Entry Point
In early December, a threat actor submitted a fake pull request to the spotbugs/sonar-findbugs project. It abused GitHub’s pull_request_target trigger, which allows workflows to access secrets even from forked repositories. That allowed the attacker to steal a SpotBugs maintainer’s PAT. This token had just been added to fix CI/CD issues at the time.
Gaining Access to SpotBugs and Reviewdog
On March 11, the attacker used the stolen PAT to add a new user, jurkaofavak, to the spotbugs/spotbugs repository. That gave them write access. Just minutes later, the attacker pushed a malicious GitHub Actions workflow. It exfiltrated all available secrets from the repository.
The workflow used AES to encrypt the secrets and then used RSA encryption for the key. This made sure only the attacker could decrypt the stolen data. Among the stolen credentials was a Reviewdog maintainer’s token. That maintainer had access to both SpotBugs and Reviewdog projects.
Hijacking Reviewdog Action Setup to Spread Malware
The attacker used the Reviewdog token to push a malicious commit to the reviewdog/action-setup repository. They changed the v1 tag to point to this malicious version. That small change had big consequences. The tj-actions/eslint-changed-files action depended on this setup. So it too got compromised.
Eventually, the malware made its way into the popular tj-actions/changed-files action. This GitHub Action is used by more than 160,000 projects, either directly or through other dependencies.
Coinbase Becomes a Victim
On March 12, a Coinbase maintainer added a workflow in the coinbase/agentkit project. It used the now-compromised changed-files action. Just two days later, the attack was triggered. The malicious code ran inside Coinbase’s environment and leaked a token with write permissions.
Coinbase removed the vulnerable workflow within 90 minutes. However, the attacker wasn’t done. They updated all the tags in the changed-files repo to point to malicious commits. From that point on, any GitHub workflow using the changed-files action was at risk.
Fallout and Confirmed Impact
Although the potential impact was massive, the actual number of affected projects was smaller. Around 160,000 repositories used the infected action. But only 218 were confirmed to have leaked secrets.
Palo Alto Networks worked closely with maintainers from SpotBugs and Reviewdog to confirm the chain of events. Their findings reveal just how dangerous one compromised token can be in a connected developer ecosystem.
