SoylentNews

Fnord666 writes:

GitHub Actions being actively abused to mine cryptocurrency on GitHub servers

GitHub Actions is currently being abused by attackers to mine cryptocurrency using GitHub's servers in an automated attack.

GitHub Actions is a CI/CD solution that makes it easy to automate all your software workflows and setup periodic tasks.

The particular attack adds malicious GitHub Actions code to repositories forked from legitimate ones, and further creates a Pull Request for the original repository maintainers to merge the code back, to alter the original code. But, an action is not required by the maintainer of the legitimate project for the attack to succeed.

BleepingComputer also observed the malicious code loads a misnamed crypto miner npm.exe from GitLab and runs it with the attacker's wallet address. Additionally, after initially reporting on this incident, BleepingComputer has come across copycat attacks targeting more GitHub projects in this manner.

Here is how it works:

The attack involves first forking a legitimate repository that has GitHub Actions enabled. It then injects malicious code in the forked version, and files a Pull Request for the original repository maintainers to merge the code back. But, in an unexpected twist, the attack does not need the maintainer of the original project to approve the malicious Pull Request.

Perdok says that merely filing the Pull Request by the malicious attacker is enough to trigger the attack. This is especially true for GitHub projects that have automated workflows setup to validate incoming Pull Requests via Actions. As soon as a Pull Request is created for the original project, GitHub's systems would execute the attacker's code which instructs GitHub servers to retrieve and run a crypto miner.

It looks like the validation of the Pull request is what triggers execution of the cryptominer. I wonder how long Github Actions will run a task before killing it?

Original Submission