GitHub’s Comedy of Errors: The PAT That Opened Pandora’s Box in a Supply Chain Fiasco
Threat actors used a compromised personal access token in December 2024 for a supply chain attack targeting GitHub Actions in March 2025, Palo Alto Networks reports. The attack exposed secrets from 218 repositories, and the attackers cunningly expanded their efforts after an open-source Coinbase project evaded their initial focus.
Hot Take:
Looks like those pesky cyber-villains are at it again, playing a dangerous game of “GitHub Gotcha!” with supply chains. Who knew that Personal Access Tokens (PAT) could be the key to unlocking a Pandora’s Box of digital chaos? I guess the moral of the story is to keep your PATs safer than you would your grandma’s secret apple pie recipe!
Key Points:
- Threat actors used a compromised Personal Access Token (PAT) from December 2024 to execute a March 2025 supply chain attack on GitHub Actions.
- Malicious code was injected into the tj-actions/changed-files GitHub action, potentially compromising 160,000 projects, though only 218 repositories exposed secrets.
- The attack began with the theft of a PAT from a SpotBugs maintainer due to a malicious pull request exploiting GitHub Actions workflow.
- Once inside, the attackers invited a malicious user, gained write access, and leaked secrets using advanced encryption techniques.
- This cascading attack impacted numerous GitHub workflows, including a significant incident involving a Coinbase project.
Already a member? Log in here