Presented at
DEF CON 33 (2025),
Aug. 9, 2025, noon
(45 minutes).
Every once in a while, we get a grim reminder that the open-source trust model that enables developers to use each other’s code and resources can be abused by attackers.
GitHub users recently suffered from such a wake-up call. In March 2025, the highly-publicized "tj-actions" incident came to light, throwing many GitHub organizations and users into panic, as their credentials were leaked via their supply chain. But while the masses were scared about the massive credential exposure, we were able to piece together evidence to show that the leakage wasn't the primary goal of this attack, and that the initial buzz was just the tip of the iceberg. Our investigations indicate that more highly-popular projects were targeted as part of this campaign, and DefCon will be the first place that we reveal the newly-discovered details.
We’ll reveal how the attack began months earlier than initially believed, with the attacker compromising multiple open-source projects utilizing them for lateral movement. We'll detail how the adversary maintained a low profile, patiently waiting to spear-target Coinbase. We will dissect the sophisticated evasion techniques employed and the attacker’s modus operandi, showing how the open-source access and trust model were weaponized to deliver a precise and calculated supply chain attack.
References:
- [link](https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/)
Presenters:
-
Aviad Hahami
Security researcher and experienced software engineer with a great passion for algorithms (graph-theory specifically), security research (vulnerability research, bug bounties), chaos engineering (YES!), frontends, backends, web services, systems architecture, infras, clouds(making them rain), and more :) Today, researching at Palo Alto Networks. Oh yea I also DJ
Similar Presentations: