Attackers are abusing GitHub infrastructure to mine cryptocurrency

The popular code repository hosting service GitHub is investigating a crypto-mining campaign abusing its infrastructure.

Code repository hosting service GitHub launched an investigation in a series of attacks aimed at abusing its infrastructure to illicitly mine cryptocurrency.

Such kind of attacks was reported at least since the end of 2020, when some software developers reported the malicious activity on their repositories.

“I was attacked by a github user that crafted a malicious github action to start a crypto-mining program inside an action run. He triggered it in my github actions thanks to a shitty pull request.” reads a post reporting a similar attack.

The Record reported that threat actors are abusing the GitHub Actions feature which was implemented to allow the automatic execution of software workflows.

Experts warn that threat actors are targeting repositories that have this feature enabled to add malicious GitHub Actions and fill malicious Pull Requests to execute the malicious attacker’s code.

“In a phone call today, Dutch security engineer Justin Perdok told The Record that at least one threat actor is targeting GitHub repositories where Actions might be enabled. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original.” reported The Record.

“But the attack doesn’t rely on the original project owner approving the malicious Pull Request. Just filing the Pull Request is enough for the attack, Perdok said.”

In recent attacks, threat actors are executing their own malicious code to mine cryptocurrency miners on the infrastructure of the code repository hosting service, in some cases, attackers could deploy hundreds of miners in a single attack.

Such kind of attacks have a significant impact on the computational capabilities of the abused infrastructure.

Perdok told The Record that he has identified at least one account responsible for the creation of hundreds of Pull Requests containing malicious code.

The expert was also the victim of a similar attack:

GitHub told The Record that that is investigating the attacks.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, mining)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.