The SpotBugs maintainer has since confirmed that the PAT that was used as a secret in the workflow was the same access token that was later used to invite “jurkaofavak” to the “spotbugs/spotbugs” repository. The maintainer has also rotated all of their tokens and PATs to revoke and prevent further access by the attackers.

One major unknown in all this is the three-month gap between when the attackers leaked the SpotBugs maintainer’s PAT and when they abused it. It’s suspected that the attackers were keeping an eye out on the projects that were dependent on “tj-actions/changed-files” and waited to strike a high-value target like Coinbase.

“Having invested months of effort and after achieving so much, why did the attackers print the secrets to logs, and in doing so, also reveal their attack?,” Unit 42 researchers pondered.