Coinbase Blocks Major Supply Chain Attack

Coinbase, a leading US cryptocurrency exchange, successfully defended against a significant supply chain attack aimed at its open-source infrastructure. The attack, discovered on March 14, 2025, and detailed by Unit 42 (Palo Alto Networks) and SlowMist, targeted the agentkit and onchainkit repositories on GitHub.

How the Attack Was Stopped

Attackers forked the repositories, injecting malicious code designed to compromise Coinbase's continuous integration (CI/CD) pipeline. They exploited GitHub's "write-all" permissions to introduce the harmful code into the automated workflow. This could have granted access to sensitive data and facilitated wider system breaches.

The malicious payload, while designed to collect information, lacked advanced tools like remote code execution or reverse shell exploits. Coinbase's swift response, in collaboration with security experts, successfully isolated and mitigated the threat, preventing deeper infiltration.

The Stakes Were High

A successful attack on Coinbase, a major US crypto exchange and custodian for Bitcoin ETFs, could have had devastating consequences for the entire crypto industry. This near-miss underscores the importance of robust security measures, especially given recent significant breaches like the Bybit incident.

While Coinbase successfully defended against this specific attack, the threat actor has since shifted focus to a broader campaign. SlowMist's founder, Yu Jian, has urged developers using GitHub Actions, particularly those utilizing tj-actions or reviewdog, to thoroughly audit their systems and check for exposed secrets.

Securing Open-Source Tools is Crucial

This incident highlights the critical need for enhanced security practices within open-source projects within the expanding crypto ecosystem. With over $1.5 billion in crypto exploits recorded this year (DeFillama data), proactive security measures are no longer optional.

Codeum offers comprehensive blockchain security services, including smart contract audits, KYC verification, custom smart contract and DApp development, tokenomics and security consultation, and partnerships with launchpads and crypto agencies. Contact us to learn how we can help protect your project.

Disclaimer: This article provides information and analysis. It is not financial advice. Independent verification and consultation with professionals are recommended before making any decisions based on this content.