An attack that uses GitHub's server for crypto asset mining was found, and GitHub Actions was abused

It turned out that GitHub's server is being used for crypto asset (virtual currency) mining by exploiting

News site Bleeping Computer reports that the attack began by forking a legitimate repository that enabled GitHub Actions, then inserting malicious code into the forked version. It then submits a pull request to the maintainers of the original repository to merge and return the code.

The screenshot of the repository that was actually attacked looks like this.

One of my repo's just got hit with a similar attack. Account in question has a bunch of other open PR's that currently have miners running. Https://t.co/PZxApykuO9 pic.twitter.com/zugl7mFK0K

— Justin Perdok (@JustinPerdok) April 2, 2021

According to Justin Perdok, who reported the attack, the trigger for the attack was 'submit a pull request' and the pull request does not need to be approved.

According to Bleeping Computer, a malicious pull request asks GitHub's server to download 'npm.exe' hosted on GitLab. This 'npm.exe' is a mining program that has nothing to do with the Node.js installer or Node Package Manager, and it executes mining via the arguments and wallet address provided by the attacker.

In the past, there was an attack that exploited the infrastructure of GitHub via GitHub Actions, and a botnet was hosted, but this attack seems to be just using the server for mining. Has been done.