Data breach

Blogs

Coinbase Identified as Primary Target in GitHub Action supply chain attack

Recently the attack on Coinbase by bad actors and targeting their agentkit project revealed that attackers are active in crypto community. The attackers gained right to access to the repository after obtaining a GitHub token with sufficient permissions.

As per researchers from at Palo Alto Networks’ Unit 42 and Wiz, attackers compromised continuous integration/continuous delivery (CI/CD) pipelines of thousands of repositories, putting them at risk.

The attack failed and highlighted the constant threats against crypto projects happening and in this case the aim was on the Coinbase project, get access to exchange ecosystem and steal crypto assets. On time Coinbase took handle of the incident that could have led attacker to change approach to a large-scale attack and compromise many projects.

As per Reuters, 2025 the crypto industry has suffered a series of thefts, prompting questions about the security of customer funds, with hacking amount more than $2 billion in 2024 – the fourth straight year where proceeds have topped more than $1 billion.

Details of the attack methodology

According to cybersecurity firm Wiz, its analysis of GitHub identities used in the attack shows that the attacker is active in the crypto community and likely operates from Europe or Africa.

The attack exploited vulnerabilities in popular GitHub Actions, leading to the potential exposure of sensitive CI/CD secrets across numerous projects.

The attack involved the compromise of the review dog/action-setup@v1 GitHub Action.

A total of 218 repositories were confirmed to have exposed secrets, despite over 23,000 using the affected action. The payload was focused on exploiting the public CI/CD flow of one of their open source projects – agentkit, probably with the purpose of leveraging it for further compromises. However, the attacker was not able to use Coinbase secrets or publish packages.

  • After this initial attack, threat actor believed to have moved to the larger attack scenario that has since gained widespread attention globally.
  • As per researchers the attacker began preparing several days before reports surfaced, eventually affecting specific versions of tj-actions/changed-files and putting a significant number of repositories at risk.
  • The incident reflects how attackers can abuse third-party actions or dependencies to compromise software supply chains, potentially resulting in unauthorized access, data breaches and code tampering.
  • Attackers actions confirmed what was initially highly focused on Coinbase and expanded to all projects utilizing tj-actions/changed-files once their initial attempt failed.

The exposed secrets included GitHub tokens and other sensitive information, with some being short-lived.

“The attacker took significant measures to conceal their tracks using various techniques, such as leveraging dangling commits, creating multiple temporary GitHub user accounts, and obfuscating their activities in workflow logs (especially in the initial Coinbase attack),” Gil, Senior Research Manager at Palo Alto Networks, told The Hacker News. “These findings indicate that the attacker is highly skilled and has a deep understanding of CI/CD security threats and attack tactics.”

Overview of attack:

The attack affected only 218 were confirmed to have leaked secrets. The majority of these secrets were short-lived tokens that expire after a single workflow run. However, some repositories also exposed more sensitive credentials, including those for DockerHub, npm, and AWS.

tj-actions and reviewdog

During March 10 and March 14, 2025, an attacker successfully pushed a malicious commit to the tj-actions/changed-files GitHub repository. This commit contained a Base64-encoded payload shown in Figure 1, which prints all of the credentials that were present in the CI runner’s memory to the workflow’s log.

(Image: unit42.paloaltonetworks)

Figure 1. The malicious snippet that was introduced to tj-actions/changed-files.

The company stated that their security measures prevented any successful exploitation of the exposed secrets.

While Coinbase managed to avert significant damage, the incident serves as a reminder for organizations to strengthen their security protocols and remain vigilant against potential threats in the software supply chain.

The attacker was able to add the malicious commit (0e58ed8) to the repository by using a GitHub token with write permissions that they obtained previously. The attacker disguised the commit to look as if it was created by renovate[bot] — a legitimate user.

The commit was then added to a legitimate pull request that was opened by the real renovate[bot] and automatically merged, as configured for this workflow.

These steps enabled the attacker to infect the repository, without the activity being detected. Once the commit was merged, the attacker pushed new git tags to the repository to override its existing tags, making them all point to the malicious commit in the repository.

Coinbase as a soft target for attackers

Cryptocurrency platforms are frequent targets for cybercriminals due to their high-value assets and financial data.

Coinbase’s agentkit repository is used for blockchain AI agents, meaning any compromise could potentially be used for manipulating transactions, altering AI behavior, or gaining unauthorized access to blockchain-related systems. Researchers have witnessed a systemic risks of software supply chains, particularly in open-source ecosystems.

When a single dependency is compromised, it can have far-reaching consequences across thousands of projects. The reliance on shared libraries and GitHub Actions makes modern development more efficient but also inherently vulnerable to such cascading attacks.

The GitHub Actions supply chain attack highlights the vulnerabilities inherent in widely used automation tools.


Sources:

https://www.bleepingcomputer.com/news/security/coinbase-was-primary-target-of-recent-github-actions-breaches/

https://undercodenews.com

 


Click here

Security Advisory

Apache NiFi Security Flaw Exposes MongoDB Credentials 

Security Advisory

A security vulnerability, CVE-2025-27017, has been identified in Apache NiFi.

These events retain usernames/passwords used for MongoDB authentication, violating credential isolation principles.

OEM Apache 
Severity Medium 
CVSS 6.9 
CVEs CVE-2025-27017 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A widely used data flow automation tool which allows unauthorized access to MongoDB credentials stored in provenance events. The Versions are affected from v1.13.0 to v2.2.0. In v2.3.0 the issue has been addressed. 

Vulnerability Name CVE ID Product Affected Severity 
 Apache NiFi Credential Exposure  CVE-2025-27017  Apache NiFi  Medium 

Technical Summary 

The vulnerability stems from Apache NiFi’s inclusion of MongoDB usernames and passwords in provenance event records.

Any authorized user with read access to these records can extract credentials information, leading to potential unauthorized access to MongoDB databases.  

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-27017   Apache NiFi 1.13.0 – 2.2.0   MongoDB credentials are stored in provenance events, allowing unauthorized extraction by users with read access.  Unauthorized access to MongoDB databases, potential data breaches.  

Remediation

  • Upgrade to Apache NiFi 2.3.0: The latest version removes credentials from provenance events, mitigating the vulnerability. 

General Recommendations: 

  • Restrict access to provenance data: Ensure only authorized personnel can view provenance records. 
  • Rotate MongoDB credentials: If affected versions were in use, change database credentials to prevent unauthorized access. 
  • Conduct security audits: Regularly review system logs and access controls to identify any unauthorized access attempts. 

Conclusion: 

This vulnerability poses a risk to organizations using Apache NiFi for data processing workflows involving MongoDB. Immediate action is recommended to upgrade to version 2.3.0 or later, restrict access to provenance data, and rotate credentials to mitigate any potential exposure. Organizations should implement stringent security measures to protect against similar vulnerabilities in the future.

This security flaw is particularly concerning because provenance events play a crucial role in auditing and monitoring data flows within NiFi. If left unpatched, this vulnerability could result in data breaches, unauthorized modifications, or even complete database compromise.

References: 

Blogs

Orange Group Suffered Data Breach; Threat Actors Exposes Compromised Data

Threat actors aimed infiltrating on Orange’s systems; A case of Ransomware cannot be denied on the data breach that took place.

Orange has confirmed it has recently experienced a cyber-attack, that exposed compromised data. Orange insists it is still investigating the case. The data breach on Orange group when analyzed found it included thousands of internal documents, including sensitive user records and employee data, after infiltrating the company’s infrastructure.

As per reports one of Orange’s non-critical apps breached in an attack aimed at its Romanian operations after HellCat ransomware gang member “Rey” alleged exfiltrating thousands of internal files with user records and employee details, which have been leaked on Tuesday, according to BleepingComputer.

Key Breach details on Orange Group

  • The data breach aimed at Infiltration of Orange’s systems for more than a month via the exploitation of Jira software and internal portal vulnerabilities.
  • This facilitated the eventual breach and can be a ransomware case as of almost 6.5 GB of corporate data including about 12,000 files over a nearly three-hour period on Sunday.
  • The hacker, known by the alias Rey, is a member of the HellCat ransomware group, noted the intrusion to be independent from the HellCat ransomware operation.
  • The threat actor claims that they have stolen thousands of internal documents of current and former Orange Romania employee, contractor, and partner email addresses, some of which dated from over five years ago, as well as mostly expired partial payment card details.
  • The hacker claims that they gained access to Orange’s systems by exploiting compromised credentials and vulnerabilities in the company’s Jira software (used for issue tracking) and other internal portals.
  • The point was getting access to the company’s systems for over a month before executing the data exfiltration as per the hacker. They also stated that they had dropped a ransom note on the compromised system, but Orange did not engage in negotiations.
  • Orange emphasized that the attack has not impacted operations amid an ongoing investigation into the incident. The company is yet to disclose whether affected individuals will be notified or if additional security measures will be introduced to prevent similar breaches in the future.

Cyber Security Implications 

From cybersecurity point the incident reflected how major organization face cyber threats and what is their strategy for incident response?

How far is the preparedness of enterprises against a ransomware attack?

These are some of the eminent questions organizations must face in order to defend their brand name..Is it proactive, are organizations prepared as Ransomware groups are focusing with advanced techniques.

Cyber security preparedness the next step

It is important that security teams be on their toes to stop any ransomware attack at the source.

AI on the endpoints is the requirement of the day, detecting atypical behavior to predict and block attack advances, at the same time before encryption, having visibility full visibility from the kernel to the cloud enables one to spot signs of compromise .This can also be any ransomware chain or any early indicators of compromise.

Experts keep on warning how to protect assets from getting compromised warning customers and employees to remain vigilant for potential phishing attempts based on the data that has been leaked.

AI Leveraging Ransomware campaigns

Earlier we witnessed cybercriminals would encrypt data and provide the decryption key once payment was received.

Now threats has doubled up with double or triple extortion attacks to expose stolen information on data leak sites in exchange for larger ransoms.

The greater availability of artificial intelligence and machine learning tools has led to these gangs be more sophisticated in their attack methods. Now the attack vectors leverage AI and ML capabilities to evade detection, spread more effectively to reach their final goals.

AI Reshaping Cyber security Roadmap

AI in cybersecurity firstly integrates artificial intelligence technologies that are required to gain critical insights and automate time-consuming processes and this includes machine learning and neural networks, into security frameworks.

These technologies are a must to enable cybersecurity teams and systems to analyze vast amounts of data, recognize attack patterns, and being able to adapt new evolving threats that can be performed with minimal human intervention. Read our blog: AI Reshaping Roadmap for Cyber security

With AI capabilities what is the next scenario we may witness in Ransomware campaigns

    • Making ransom calls using Voice Cloning

    • Malware that can target key personnel within the organization

    • The ability to decipher financial data and demand ransom amounts accordingly

AI-driven systems learn from experiences and AI will empowers organizations, enterprises in future and still doing to enhance their cybersecurity posture and reduce the likelihood of breaches, identify potential risks by acting independently.

Sources:

https://www.scworld.com/brief/orange-group-hack-confirmed-following-leak-by-hellcat-ransomware-member

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Scroll to top