That massive GitHub supply chain attack? It all started with a stolen SpotBugs token

That massive GitHub supply chain attack that spilled secrets from countless projects? It traces back to a stolen token from a SpotBugs workflow - exposed way back in November, months earlier than previously suspected.

After "piecing together the stages" of the tj-actions/changed-files compromise, Palo Alto Networks' Unit 42 threat hunters concluded attackers used a leaked Personal Access Token (PAT) from SpotBugs to shift over to reviewdog, and ultimately tamper with the popular tj-actions/changed-files GitHub Action to quietly stash developers' secrets in log files.

"The attackers obtained initial access by taking advantage of the GitHub Actions workflow of SpotBugs, a popular open-source tool for static analysis of bugs in code," Omer Gil, Aviad Hahami, Asi Greenholts, and Yaron Avital said in an April update to their analysis from last month.

"This enabled the attackers to move laterally between SpotBugs repositories, until obtaining access to reviewdog," the team wrote, adding that ...