Attacker intrusion began in November 2024.
An exposed SpotBugs token was to blame for last month’s GitHub Actions security incident.
According to BleepingComputer, more than 200 GutHub repositories were impacted in the incident, which was originally aimed at the cryptocurrency exchange Coinbase.
After the inclusion of SpotBugs maintainer's Personal Action Token into a CI workflow in late November, attackers moved to exfiltrate the token through the exploitation of a vulnerable 'pull_request_target' workflow in early December. They then used the stolen token to pilfer another token, which that eventually enabled repository secret exposure last month, an analysis from
Palo Alto Networks Unit 42 researchers revealed.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
