Crypto-mining attack in my github actions through pull request #25609
-
Hello, Some days ago, a github user attacked one of my github repository with a malicious pull request to trigger crypto-mining in my github actions. The pull request was opened/closed multiple times and each action was starting up to 20 sub-jobs. I was alerted very quickly and stopped the jobs and closed the PR immediately. I wrote a blog post that relates the whole story and gives full details: Github Actions mining attack through Pull Request It is similar to Massive Cryptomining Campaign Abusing GitHub (…) but differs completely in the implementation. I already reported to GitHub through contact form. The malicious action looked like this:
|
Beta Was this translation helpful? Give feedback.
Replies: 9 comments
-
👋 Welcome! I’m sorry that happened. I’ve had a look and your ticket has been worked on by a couple of different teams. That sometimes delays a reply, but I can assure you they’re handling it! |
Beta Was this translation helpful? Give feedback.
-
I got an answer from support, they confirmed that these kind of attacks happens and they took countermeasures quickly even before I reported it (that was them that flagged and removed the nasty user and pull request). Thank you @canuckjacq and all ! |
Beta Was this translation helpful? Give feedback.
-
Thanks for the update and I’m really glad to hear that. I know these attacks can be alarming. |
Beta Was this translation helpful? Give feedback.
-
Glad it got resolved and that it was a proactive response. This is a good reminder on what our interface of our modern CI, the risk that it poses, and why we need to safeguard it. CI systems are Remote Code Execution as a service, nothing more nothing less. It has a (useful) side effect of being a great way to execute tests, that is the common use case rather than the only one. |
Beta Was this translation helpful? Give feedback.
-
I’m confused how this is an “attack”, or at least who it’s attacking. GitHub, in their, uh, infinite wisdom, seems to have given the whole internet the ability to submit a shell script that they will run on an arbitrary number VMs, just by making a free, anonymous account and submitting a PR to any repo. As far as I can tell, the script doesn’t have access to modify your repo or use its / your credentials. It’s just doing what GitHub advertises: running arbitrary code in response to an action. (That code happens to be dumb and wasteful, but GH doesn’t prevent that.) |
Beta Was this translation helpful? Give feedback.
-
thw0rted:
It’s primarily an attack against Github, wasting their resources for creating cryptocurrency. The effect on the repository owner is more like spam, but that’s bad enough already. |
Beta Was this translation helpful? Give feedback.
-
It would be nice to exclude folders like .github from pull requests opened by non-collaborators. |
Beta Was this translation helpful? Give feedback.
-
Cryptocurrency is a type of digital currency that uses encryption techniques to regulate the generation of units of currency and verify the transfer of funds. While it offers many benefits, such as decentralized control and increased privacy, it also poses certain risks to investors and users. Despite the risks, cryptocurrency can bring good profits. I trade on [removed by moderator] for several years now, and thanks to a lot of experience, trading brings me a consistently high profit. |
Beta Was this translation helpful? Give feedback.
-
I believe github added some controls to prevent actions from being run on public repositories. I do know these are not new as I implemented them a while ago at my org: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories. |
Beta Was this translation helpful? Give feedback.
I got an answer from support, they confirmed that these kind of attacks happens and they took countermeasures quickly even before I reported it (that was them that flagged and removed the nasty user and pull request).
Thank you @canuckjacq and all !