Daily News Update: Sunday, March 23, 2025 (Australia/Melbourne)
Coinbase the Original Target of GitHub Actions Supply Chain Attack
Researchers from Palo Alto's Unit 42 and Wiz have concluded that the recent supply chain attack on the reviewdog/action-setup@v1 GitHub Action had Coinbase as its primary target.
The injected malicious code allowed the attackers to dump CI/CD secrets and authentication tokens into GitHub Actions logs. This then allowed the attackers to steal a Personal Access Token, which was used to push a malicious commit to the tj-actions/changed-files GitHub Action. This action is used by over 20,000 projects, including Coinbase's coinbase/agentkit, a framework for AI agents interacting with blockchains.
"The attacker obtained a GitHub token with write permissions to the coinbase/agentkit repository on March 14, 2025, 15:10 UTC, less than two hours before the larger attack was initiated against tj-actions/changed-files," explained Palo Alto Unit 42.
Although the attackers gained write access to the coinbase/agentkit repository, Coinbase reported that the attack was unsuccessful and did not impact any of their assets.
The campaign initially focused on Coinbase but expanded to all projects using tj-actions/changed-files after the initial attempt failed. Out of 23,000 projects using the changed-files action, only 218 repositories were ultimately affected.
Bleeping Computer | "Coinbase was primary target of recent GitHub Actions breaches"
Microsoft Trusted Signing Service Abused to Code-Sign Malware
Cybercriminals are exploiting Microsoft's Trusted Signing platform to code-sign malware executables using short-lived, three-day certificates. Code-signing certificates are valuable to threat actors because they allow malware to appear legitimate and bypass security filters.
The Microsoft Trusted Signing service, launched in 2024, is a cloud-based service that allows developers to easily have their programs signed by Microsoft. It offers short-lived certificates that can be easily revoked in case of abuse and prevents certificates from being stolen by not issuing them directly to developers.
"Trusted Signing is a complete code signing service with an intuitive experience for developers and IT professionals, backed by a Microsoft managed certification authority," reads a Microsoft announcement for the service.
The platform has a $9.99 monthly subscription and provides a SmartScreen reputation boost to executables signed by the service. To prevent abuse, Microsoft initially restricted certificate issuance under a company name to those in business for three years, but individuals can get approved more easily.
Researchers have observed malware samples signed by "Microsoft ID Verified CS EOC CA 01" with certificates valid for only three days. Examples include malware used in a Crazy Evil Traffers crypto-theft campaign and Lumma Stealer campaigns.
Microsoft stated that they use threat intelligence monitoring to detect and revoke certificates being misused and suspend accounts involved in abuse. They confirmed that the shared malware samples are detected by their antimalware products, and they have taken action to revoke the certificates and prevent further account abuse.
Bleeping Computer | "Microsoft Trust Signing service abused to code-sign malware"
