DevSecOps

The malware targets the “ethers” package and opens a reverse shell.

GitHub Action attack initially set sights on Coinbase Cybersecurity Dive reports that major U.S. cryptocurrency exchange Coinbase was disclosed by Palo Alto Networks Unit 42 and Wiz researchers to have been originally targeted by the supply chain compromise that was eventually aimed at the GitHub Action tj-actions/changed-files, tracked as CVE-2025-30066.

Most of the exposed secrets were GitHub install action tokens but their 24-hour expiration has restricted exploitation opportunities.

While nearly a third of such attempts involved vulnerability checks and system reconnaissance commands, almost 5% of the attacks have been launched to facilitate XMRig cryptocurrency miner delivery.

Researchers showed how GitHub Copilot and Cursor could be manipulated with hidden Unicode.

More than a quarter of the bogus packages were purporting to be time-related utilities.

The theme had millions of installations before it was removed in late February.