Compromised SpotBugs Token Led to GitHub Actions Supply Chain Hack - SecurityWeek

A compromised SpotBugs token from December 2024 was used in a March 2025 GitHub Actions supply chain attack. The token, belonging to a SpotBugs maintainer, was stolen and used to gain write access to the spotbugs/spotbugs repository, leading to the compromise of the tj-actions/changed-files GitHub action. This resulted in the exposure of CI/CD secrets from 218 repositories, impacting roughly 160,000 projects.