Coinbase Thwarts Supply Chain Attack on Open-Source Toolkit

Coinbase, the largest crypto exchange in the US, successfully evaded a supply chain attack that could have compromised its open-source infrastructure. The incident was flagged by Yu Jian, founder of blockchain security firm SlowMist, on March 23. The attacker targeted ‘agentkit’, an open-source toolkit managed by CoinbaseCOIN-- that supports blockchain-based AI agents. The threat actor forked agentkit and onchainkit repositories on GitHub, inserting malicious code intended to exploit the continuous integration pipeline. The suspicious activity was first detected on March 14, 2025. The payload was focused on exploiting the public CI/CD flow of one of their open-source projects – agentkit, probably with the purpose of leveraging it for further compromises. The attacker exploited GitHub’s “write-all” permissions, which allowed the injection of harmful code into the project’s automated workflow. This method could have enabled access to sensitive data and created a path for broader compromises. However, the payload collected sensitive information and did not contain advanced malicious tools like remote code execution or reverse shellSHEL-- exploits. Coinbase responded quickly, collaborating with security experts to isolate the threat and apply necessary mitigations. This rapid action helped the company avoid deeper infiltration and prevented potential damage to its infrastructure. The stakes were high, as a breach of this nature could have caused major disruption across the crypto industry, especially after Bybit’s recent security incident. Despite the failed attempt, the attacker has since shifted focus to a larger campaign now drawing global attention. In light of this, SlowMist founder advised developers using GitHub Actions—especially those working with tj-actions or reviewdog—to audit their systems and confirm that no secrets have been exposed. This incident highlights the growing importance of securing open-source tools as the crypto ecosystem expands.

Coinbase’s swift response to the supply chain attack underscores the critical importance of robust cybersecurity measures in the crypto industry. The attack, which targeted the ‘agentkit’ toolkit, was detected early and mitigated effectively, preventing potential breaches that could have had severe consequences. The use of GitHub’s “write-all” permissions by the attacker highlights a vulnerability that could be exploited to inject malicious code into automated workflows. This incident serves as a reminder of the need for continuous vigilance and proactive security measures in the rapidly evolving landscape of blockchain technology. The crypto industry has seen significant exploits this year, emphasizing the importance of securing open-source tools and infrastructure. Developers and organizations must remain vigilant and implement stringent security protocols to protect against such threats.

The incident involving Coinbase’s ‘agentkit’ toolkit is a stark reminder of the vulnerabilities that exist within the crypto ecosystem. The attack, which aimed to exploit the continuous integration pipeline, could have had far-reaching implications if not detected and mitigated in time. The use of GitHub’s “write-all” permissions by the attacker underscores the need for enhanced security measures in open-source projects. As the crypto industry continues to grow, it is crucial for developers and organizations to prioritize cybersecurity and implement robust protocols to protect against potential threats. The rapid response by Coinbase and the collaboration with security experts demonstrate the importance of proactive measures in safeguarding the integrity of blockchain infrastructure.