In March 2025, a sophisticated supply chain attack targeting GitHub Actions reminded us that, yet again, trusting third-party code without visibility is like leaving your front door open and hoping for the best. The attack initially targeted Coinbase’s open-source project agentkit, exploiting vulnerabilities in widely used GitHub Actions. And because supply chain attacks are the gift that keeps on giving (to hackers, at least), it quickly spread to over 23,000 repositories. By injecting malicious code into dependencies, attackers exfiltrated CI/CD secrets, turning a routine automation process into a security nightmare.
This breach highlights a harsh reality: even the best security teams can’t defend what they can’t see. Companies of all sizes increasingly rely on third-party code, automation tools, and open-source projects to stay agile, but those same dependencies also create a massive attack surface.
So, what does this mean for security leaders? For one, it’s time to rethink third-party cyber risk management. In this article, we’ll break down what happened, why it matters, and what companies need to do to prevent their own software supply chain from becoming the next big security headline.
Details of the GitHub Action Breach
The breach started with a popular GitHub Action, reviewdog/action-setup@v1, used in CI/CD pipelines. Attackers injected malicious code, grabbing authentication tokens and other sensitive credentials. Once executed, the malicious code sent these secrets to the attackers’ server.
Things escalated quickly as attackers compromised another widely-used GitHub Action, tj-actions/changed-files, expanding their reach to over 23,000 repositories. This wasn’t just a small breach, it was a wake-up call for anyone relying on third-party code. A single compromised action can snowball into a full-blown supply chain disaster.
Impact on Coinbase: Consequences of Third-Party Risk
One of the main targets was agentkit, an open-source project maintained by Coinbase. Attackers grabbed a GitHub token with write permissions, giving them the ability to modify the repo.
Luckily, Coinbase’s security team caught it early, so no major damage was done. While the attack didn’t affect their systems directly, it’s a stark reminder that even the most secure organizations aren’t immune to third-party risks.
The takeaway? Third-party vulnerabilities don’t just hit the vendors, they can also hit anyone relying on them. With more companies using external tools and automation, continuous monitoring and proactive risk management are more critical than ever.
Broader Implications for Third-Party Cyber Risk Management
The GitHub Actions breach isn’t just another security incident, it’s a case study in the rising threat of supply chain attacks. By compromising widely used open-source components, attackers accessed 218 repositories with exposed CI/CD secrets, putting many organizations at risk.
The real problem here is that companies often inherit vulnerabilities from third-party dependencies without even realizing it. Open-source software and third-party tools are essential, but they come with significant risks. Security teams struggle with visibility into all the third-party components in their systems, making it hard to spot and stop threats before they spread.
This attack also raises concerns about open-source maintainers. Many GitHub Actions and tools are run by small teams or individuals without enterprise-level security resources, leaving these tools vulnerable.
If there’s one takeaway from this breach, it’s this: supply chain security can’t be an afterthought. Without solid risk management, organizations are leaving their back doors wide open.
TP(C)RM Recommendations for Organizations
To prevent similar incidents, companies must take a proactive approach to third-party cyber risk management. Here are some key actions organizations should implement:
- Know Which Third-Parties You’re Relying on at All Times.
- Continuously Monitor Third-Party Dependencies
- Audit and Secure CI/CD Pipelines
- Rotate Secrets and Enforce Strong Authentication
- Support Open-Source Security Initiatives
- Implement Real-Time Threat Detection
By taking these steps, organizations can reduce their exposure to supply chain threats and build a more resilient cybersecurity posture.
The Wake-Up Call: Securing the Weakest Link in Your Supply Chain
The GitHub Actions breach is a wake-up call for anyone relying on third-party software. This attack showed how quickly supply chain vulnerabilities can spread, even to the most security-conscious organizations.
Moving forward, third-party cyber risk management can’t be an afterthought. Companies need to invest in continuous monitoring, stronger authentication, and better open-source security.
With the growing reliance on third-party tools, cybersecurity leaders need to ask themselves: Are we doing enough to secure the weakest link in our digital ecosystem?
