Coinbase, the largest crypto exchange in the United States, has successfully avoided supply chain attacks that could undermine open source infrastructure.
On March 23, Yu Jian, founder of blockchain security company Slowmist, flagged the incident in an X post, referring to a report from Unit 42, the threat intelligence division of the Palo Alto Network.
How Coinbase has stopped major cyberattacks
According to Unit 42, the attackers targeted “AgentKit,” an open source toolkit managed by Coinbase, which supports blockchain-based AI agents.
The threat actor has diverged AgentKit and onchainkit Github repositories insert malicious code intended to leverage the continuous integration pipeline. Suspicious activity was first detected on March 14, 2025.
“The payload focused on leveraging the public CI/CD flow of one of the open source projects, an AgentKit, perhaps with the aim of leveraging it for further compromise,” Unit 42 reported.
The attacker was able to exploit GitHub’s “write” permissions and inject harmful code into the automated workflow of the project. This method could have enabled access to sensitive data and created a path for a wider compromise.
A malicious commit targeting Coinbase. Source: Unit42
However, Unit 42 reported that the payload had collected sensitive information. It did not include advanced malicious tools such as remote code execution or reverse shell exploits.
Meanwhile, Coinbase responded quickly, working with security experts to isolate the threats and apply the necessary mitigation. This prompt action helped the company avoid deeper intrusions and prevent potential damage to its infrastructure.
Coinbase was the largest crypto exchange in the United States and the stakes were high considering its position as an important custodian in Spot Bitcoin ETF.
Violations of this nature could have caused major disruptions across the crypto industry, particularly after Bybit’s recent $1.4 billion security incident.
Despite the failed attempts, attackers have since shifted their focus to a larger campaign, and have now attracted global attention.
In light of this, the founder of Slowmist advised the developers using GitHub actions. TJ-actions or ReviewDog– Audit the system and make sure no secrets are public.
“If your company uses ReviewDog or TJ-actions, we do a thorough self-examination,” Yu Jian said in X.
The incident underscores the growing importance of protecting open force tools as the crypto ecosystem grows. Defillama’s data shows the crypto industry has recorded over $1.5 billion in exploits this year.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
