{"id":210611,"date":"2025-04-05T06:08:42","date_gmt":"2025-04-05T11:08:42","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/04\/spotbugs-access-token-theft-identified-as-root-cause-of-github-supply-chain-attack"},"modified":"2025-04-05T06:08:42","modified_gmt":"2025-04-05T11:08:42","slug":"spotbugs-access-token-theft-identified-as-root-cause-of-github-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/04\/spotbugs-access-token-theft-identified-as-root-cause-of-github-supply-chain-attack","title":{"rendered":"SpotBugs Access Token Theft Identified as Root Cause of GitHub Supply Chain Attack"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/spotbugs-access-token-theft-identified-as-root-cause-of-github-supply-chain-attack.jpg\"><\/a><\/p>\n<p>The SpotBugs maintainer has since confirmed that the PAT that was used as a secret in the workflow was the same access token that was later used to invite \u201cjurkaofavak\u201d to the \u201cspotbugs\/spotbugs\u201d repository. The maintainer has also rotated all of their tokens and PATs to revoke and prevent further access by the attackers.<\/p>\n<p>One major unknown in all this is the three-month gap between when the attackers leaked the SpotBugs maintainer\u2019s PAT and when they abused it. It\u2019s suspected that the attackers were keeping an eye out on the projects that were dependent on \u201ctj-actions\/changed-files\u201d and waited to strike a high-value target like Coinbase.<\/p>\n<p>\u201cHaving invested months of effort and after achieving so much, why did the attackers print the secrets to logs, and in doing so, also reveal their attack?,\u201d Unit 42 researchers pondered.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The SpotBugs maintainer has since confirmed that the PAT that was used as a secret in the workflow was the same access token that was later used to invite \u201cjurkaofavak\u201d to the \u201cspotbugs\/spotbugs\u201d repository. The maintainer has also rotated all of their tokens and PATs to revoke and prevent further access by the attackers. One [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"class_list":["post-210611","post","type-post","status-publish","format-standard","hentry","category-futurism"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/210611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=210611"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/210611\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=210611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=210611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=210611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}