Security researchers have uncovered a massive cryptocurrency mining operation that abuses GitHub’s automated controls. According to reports, the popular open source code repository is “actively investigating” the reported incidents.
The attacks are reportedly targeted at GitHub repositories that have enabled a feature known as GitHub Actions. The feature is designed to automate the usual tasks that exist in all developer workflows.
Speaking to The Record, Dutch security engineer Justin Perdok said the attackers are specifically looking for projects that test incoming pull requests via automated jobs to inject crypto mining software into GitHub’s cloud infrastructure.
According to Perdok the attacks can be traced back to at least November 2020, when they were first reported by a French developer.
Breaking down the attack, Perdok says the threat actors first fork a software repository and add malicious GitHub Actions to the original code. They then file a legitimate pull request asking to merge their changes to the master repository.
Thanks to the automated processes, as soon as the pull request is filed GitHub will read the malicious GitHub Actions code and spins up a virtual machine, which then downloads and runs cryptocurrency-mining software on GitHub’s infrastructure.
Perdok believes the attacks are happening at scale and has identified at least one account that’s actively creating hundreds of pull requests containing malicious code.
In an email to The Record, GitHub acknowledged the attack saying they are “aware of this activity and are actively investigating”. Reportedly, they said as much to the French developer last year, before deleting the pull requests from the offending account.
We hope that GitHub’s response this time is a bit more concrete and permanent instead of just zapping the malicious pull requests.
Via: The Record