The Cascading Supply Chain Attack, which initially targeted the coinbase, was targeted before becoming more comprehensive for users of “TJ-Acts/Changing Files”, the Jethb action was discovered back from the theft of a personal access token (Pat) related to the spotbugs.
Palo Alto Network Unit 42 said in an update this week, “The attackers achieved the initial access by taking advantage of the Spotbugs’ Jethb Action Workflow, which is a popular open-source tool for stable analysis of bugs in the code.” “This enabled the attackers to move later among the Spotbugs repository, until the Reviewdog was accessed.”
There is evidence to suggest that malicious activity started back by November 2024, although not an attack against the coinbase until March 2025.
Unit 42 said that its investigation began with the knowledge that a leak pat was compromised on a leak pat due to a leak pat, which later enabled the danger actors to push the threat actors by “Reviewdog/Action-STUP”, which in return, which in return, “TJ-AFILES, which in return. Was listed as TJ-Cantilland.
Since then it has been revealed that Mainner was also an active partner in another open-source project called Spotbugs.
The attackers are said to have pushed a malicious Github Action Workflow File “Spotbugs/Spotbugs” Repository under disposable user name “Jurkaofavak”, which leads to the maintenance patt on the workflow.
It is believed that the same PAT facilitates access to both “spotbugs/spotbugs” and “reviews/action-setup”, which means that the leaked pat can be misused to poison “review/action-setup”.
“The attacker had an account with the permission to somehow to write in spotbugs/spotbugs, which they were able to use a branch to push the repository and reach CI secrets,” Unit 42 said.
As the permission to write was obtained, it came to light that the user behind the malicious committe for spotbugs, “Jurkofavak,” was invited to the repository on March 11, 2025 as a member by one of the project maintenance.
In other words, the attackers managed to get the PAT of the spotbugs repository to invite “Jurcofavak” to become a member. This, the cyber security company said, “Spotbugs/Sonar-Findbugs” was made a fork of the repository and by making a bridge request under the user name “Randolzfow”.
“2024-11-28T09: 45: 13 UTC, [the SpotBugs maintainer] Unit 42 reported that one of Spotbugs/Sonar-Findbugs Workflows was revised to use their own pat, as they were achieving technical difficulties in a part of their CI/CD process, “Unit 42 explained.
“2024-12-06 02:39:00 UTC, the attacker presented a malicious bridge request to Spotbugs/Sonar-Findbugs, which exploited a GITHUB action workflow, using Pull_request_target trigger.”
“Pull_request_target” trigger is a Github Action Workflow Trigger that allows fork -running workflows to reach the secrets – in this case, PAT – called the poison pipeline execution attack (PPE).
Spotbugs Anuhar has since confirmed that Pat was the same access token used as a mystery in the workflow that was later used to invite “Jurkofavak” to “Spotbugs/Spotbugs” repository. Anuhar has also rotated all its tokens and pats to cancel further reach by the attackers.
There is a difference of a major unknown three months in all this when the attackers leaked Spotbugs Mentor’s Pat and when they misused it. It is suspected that the attackers were monitoring the projects that depended on “TJ-Action/Changed Files” and were waiting to attack a high-value target such as coinbase.
“After several months of effort and after achieving so much, why the attackers printed mysteries to log, and in doing so, also revealed their attack?,” Researchers of Unit 42 considered.
