Coinbase Primary Target in GitHub Action Supply Chain Attack

Cybersecurity experts identify Coinbase as the primary target of the GitHub Action supply chain attack.

Initial reports indicate that the attacker first attempted to compromise Coinbase’s open-source project, AgentKit.

After failing, they broadened their scope, exploiting GitHub Actions to infiltrate multiple repositories.

Analysts suggest the attacker aimed to breach Coinbase’s ecosystem to steal crypto assets but was thwarted by the exchange’s swift detection and response.

According to cybersecurity firm Wiz, an analysis of GitHub identities linked to the attack suggests the perpetrator is an active member of the crypto community, likely operating from Europe or Africa.

While Coinbase has not publicly addressed the incident, experts report that the exchange has confirmed the breach was mitigated.

Further investigation revealed that malicious actors injected code into the “tj-actions/changed-files” workflow, attempting to extract sensitive data from affected repositories.

How Coinbase Fended Off the Attacker

Coinbase, the largest US crypto exchange, successfully thwarted a supply chain attack aimed at its open-source infrastructure.

According to cybersecurity firm Unit 42, the attacker targeted AgentKit, a Coinbase-managed open-source toolkit for blockchain-based AI agents.

By forking AgentKit and OnchainKit repositories on GitHub, the attacker injected malicious code designed to exploit the continuous integration pipeline.

The breach attempt was first detected on 14 March 2025.

The attacker leveraged GitHub’s “write-all” permissions to insert harmful code into the project’s automated workflow, potentially exposing sensitive data and enabling further compromises.

While Unit 42 confirmed that the payload collected sensitive information, it did not include advanced exploits such as remote code execution or reverse shell attacks.

Coinbase responded swiftly, working with security experts to isolate the threat and implement mitigations.

This rapid intervention prevented deeper infiltration and safeguarded the exchange’s infrastructure from further risk.

Malicious Actor Shifts Focus to Wider Target

After Coinbase successfully thwarted the targeted attack, the threat actor shifted focus to a broader supply chain assault, this time targeting GitHub Actions.

Endor Labs identified that 218 GitHub repositories were compromised, exposing sensitive information.

However, the leaked data primarily consisted of credentials for platforms like Amazon Web Services, npm, Dockerhub, and GitHub access tokens.

Fortunately, the impact was less severe than initially feared, as many of the exposed GitHub tokens expired once the workflow had completed.

Endor Labs researcher Henrik Plate said:

“The initial scale of the supply chain attack sounded scary, considering that tens of thousands of repositories depend on the GitHub Action.”

Security experts are now investigating the motive behind the attack.

While some suspect the primary aim was to steal crypto assets from Coinbase, the swift resolution of the incident likely forced the attacker to pivot.

Rather than continuing with a focused attack on Coinbase, they expanded their efforts to compromise a wide range of projects through this large-scale supply chain attack.

Security Threats Continue to Target Crypto Projects

The failed attack on Coinbase underscores the persistent threats targeting crypto projects.

Yu Jian, founder of SlowMist, highlighted the potential severity of the breach, noting that had it succeeded, Coinbase could have been the next major security incident, referencing the $1.5 billion hack of ByBit in February 2025.

Jian also advised companies using tools like tj-actions or reviewdog to conduct thorough audits to ensure their secrets remain secure.

Supply chain attacks like this one have led to significant losses in the past.

In 2024, an exploit targeting updates to the Lottie Player npm package resulted in a user losing 10 BTC, worth $725,000.

Similarly, security vulnerabilities continue to plague the Web3 space, with ZOTH, a platform for restaking assets, losing over $8 million after a malicious actor gained admin privileges and modified its logic contract.

This underscores the ongoing risks within the crypto ecosystem.