This Week in Security: Target Coinbase, Leaking Call Records, and Microsoft Hotpatching

Palo Alto’s Unit 42 has released additional information on the recent GitHub Actions supply chain attack, revealing that Coinbase was the likely intended target.
The attack began with a pull_request_target hook in the spotbugs/sonar-findbugs repository, which was used to export secrets from a GitHub Actions run, including a personal access token belonging to a spotbugs maintainer.
The token was used to invite a throwaway account, [jurkaofavak], into the main spotbugs repository, which was used to create a new branch and delete it seconds later.
The branch triggered another malicious CI run, leaking a personal access token with write permission to tj-actions/changed-files.
The attacker created a fork of the repository and added malicious code, overwriting the v1 tag to point to this malicious code.
The tj-actions/changed-files tag was also overridden with a malicious fork, and a Coinbase maintainer discovered the attack, deleting the targeted workflow and ending the attack.
Oracle has acknowledged a breach into Oracle Cloud Classic, renamed from Oracle Cloud, but claims the current generation Oracle Cloud was not breached.

Fast Feed