Attackers are abusing GitHub infrastructure to mine cryptocurrency

Pierluigi Paganini April 03, 2021

The popular code repository hosting service GitHub is investigating a crypto-mining campaign abusing its infrastructure.

Code repository hosting service GitHub launched an investigation in a series of attacks aimed at abusing its infrastructure to illicitly mine cryptocurrency.

Such kind of attacks was reported at least since the end of 2020, when some software developers reported the malicious activity on their repositories.

“I was attacked by a github user that crafted a malicious github action to start a crypto-mining program inside an action run. He triggered it in my github actions thanks to a shitty pull request.” reads a post reporting a similar attack.

The Record reported that threat actors are abusing the GitHub Actions feature which was implemented to allow the automatic execution of software workflows.

Experts warn that threat actors are targeting repositories that have this feature enabled to add malicious GitHub Actions and fill malicious Pull Requests to execute the malicious attacker’s code.

“In a phone call today, Dutch security engineer Justin Perdok told The Record that at least one threat actor is targeting GitHub repositories where Actions might be enabled. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original.” reported The Record.

“But the attack doesn’t rely on the original project owner approving the malicious Pull Request. Just filing the Pull Request is enough for the attack, Perdok said.”

In recent attacks, threat actors are executing their own malicious code to mine cryptocurrency miners on the infrastructure of the code repository hosting service, in some cases, attackers could deploy hundreds of miners in a single attack.

Such kind of attacks have a significant impact on the computational capabilities of the abused infrastructure.

Perdok told The Record that he has identified at least one account responsible for the creation of hundreds of Pull Requests containing malicious code.

The expert was also the victim of a similar attack:

One of my repo's just got hit with a similar attack. Account in question has a bunch of other open PR's that currently have miners running. https://t.co/PZxApykuO9 pic.twitter.com/zugl7mFK0K
— Justin Perdok (@JustinPerdok) April 2, 2021

Miner itself is downloaded from gitlab. pic.twitter.com/5twTjuL2vK
— Justin Perdok (@JustinPerdok) April 2, 2021

GitHub told The Record that that is investigating the attacks.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, mining)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini July 11, 2025

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini July 10, 2025