A sophisticated cyberattack targeting Coinbase's open-source project AgentKit through GitHub Actions has been uncovered by cybersecurity researchers. The attack, detected on March 14, 2025, exploited vulnerabilities in a GitHub tool called tj-actions/changed-files.
Security firms Palo Alto Networks Unit 42 and Wiz revealed that after multiple failed attempts to breach Coinbase's defenses, the attacker shifted focus to target thousands of other GitHub repositories. The hacker conducted over 20 test attempts with various code variations before Coinbase's security team identified and blocked the intrusion.
The expanded attack campaign put more than 23,000 repositories at risk. Cybersecurity firm Endor Labs confirmed that at least 218 repositories were successfully compromised, resulting in the exposure of various access tokens for AWS, npm, Dockerhub, and GitHub. The impact was partially mitigated as many of the leaked tokens expired rapidly.
According to Wiz's investigation, the attacker appears to be an active member of the cryptocurrency community, likely operating from Europe or Africa. While Coinbase has not released an official statement, security experts indicate the exchange successfully prevented any major breach of its systems.
SlowMist founder Yu Jian compared the potential impact of a successful attack to the February 2025 ByBit hack, which resulted in losses of $1.5 billion. He recommended organizations using GitHub tools like tj-actions implement regular security audits to protect against similar threats.
The incident highlights the growing sophistication of supply chain attacks targeting the cryptocurrency industry and the critical importance of rapid threat detection and response capabilities.