GitHub Actions Abused to Mine Cryptocurrency On GitHub Servers

GitHub Actions Abused to Mine Cryptocurrency On GitHub Servers

Attackers abuse GitHub Actions to mine cryptocurrency on GitHub’s servers in automated attacks.

GitHub Actions is a feature that makes it easy to automate repetitive tasks in software workflows and is used extensively by developers in a big number of projects.

In these attacks, bad actors add malicious GitHub Actions code to the repositories forked from legitimate ones, and then merge the malicious code back with the original repo.

A Dutch security engineer Justin Perdok, who initially reported the scheme shared a screenshot showing that at least 95 repositories had been targeted so far.

But, what’s interesting, the maintainer of the original project does not need to approve the malicious Pull Request. Perdok says that merely making a Pull Request is enough to complete the attack because all targeted projects have automated workflows that auto validate Pull Requests via Actions.

Upon a successful merge, GitHub’s systems would execute the attacker’s code which will download a cryptocurrency miner from GitLab which is mislabeled npm.exe, and run it.

But this npm.exe is a known crypto miner and has nothing to do with the official NodeJS installers or Node Package Manager (npm).

After the initial discovery has been reported, BleepingComputer came across copycat campaigns, in which attackers create malicious Pull Requests targeting projects that use GitHub Actions. The attackers have targeted over 50 legitimate repositories so far, according to BleepingComputer.

In the tests, the malicious EXE connected to the cryptocurrency pool and began mining coins, BleepingComputer wrote.

Consequently, BleepingComputer has analyzed a variation of these attacks in which threat actors use the open-source XMRig crypto-miner. The attackers pulled in the XMRig crypto-miner right from XMRig’s official GitHub repository, according to the security blog writers.

GitHub stated that they were aware of these campaigns and had started actively investigating them.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.