The Hacker’s Initial Moves
Before launching the attack, the hacker tested over 20 different code variations, looking for a way in. Once it detected and blocked their attempts, they pivoted to a new target—all versions of tj-actions/changed-files.
A Massive Threat to GitHub Repositories
The attack put 23,000+ repositories at risk, but security firm Unit 42 believes the real number could be even higher. Meanwhile, Wiz, another cybersecurity firm, investigated the attacker’s identity and found they are likely an active crypto community member based in Europe or Africa. Coinbase has yet to make an official statement, but experts confirm they stopped the attack before major damage occurred.
Shifting Targets: From Coinbase to GitHub Users
After failing to break into Coinbase, the attackers switched strategies and targeted a massive number of GitHub users instead. Security firm Endor Labs found at least 218 repositories had been compromised, leading to leaks of AWS, npm, Dockerhub, and GitHub access tokens—essentially login credentials for developer tools. Fortunately, most tokens expired quickly, reducing the impact.
Learn more about them on this website
How Coinbase’s Quick Response Limited the Damage
Endor Labs researcher Henrik Plate noted that the attack seemed intense at first, but its rapid response forced the hacker to adapt.
Could This Have Been Another ByBit-Scale Hack?
Yu Jian, founder of SlowMist, compared this attack to the ByBit hack in February 2025, where they stole $1.5 billion. He urged developers using GitHub tools like tj-actions to perform regular security audits to prevent future breaches.
Also Read: Strategy is Now Greatest Colossal Force to Hold 500K BTC
