Attackers use GitHub Action to mine cryptocurrency on GitHub servers

GitHub Actions is a CI/CD solution that can automate all software workflows and set up regular tasks. In this attack, the malicious GitHub Actions code was added to a repository that was forked from a legal repository, and a Pull Request was further created, allowing the original repository maintainer to merge the code back to change the original code. And the malicious code will load a mining program npm.exe from GitLab and run it using the attacker’s wallet address.

One of my repo's just got hit with a similar attack. Account in question has a bunch of other open PR's that currently have miners running. https://t.co/PZxApykuO9 pic.twitter.com/zugl7mFK0K

— Justin Perdok (@JustinPerdok) April 2, 2021

According to Dutch security engineer Justin Perdok, the attackers have targeted GitHub repositories that use GitHub Actions to mine cryptocurrencies. Surprisingly, this attack does not require the maintainer of the original project to approve the malicious Pull Request. The malicious attacker merely submits the Pull Request to trigger the attack. This is especially true for GitHub projects that have set up automatic workflows to verify incoming Pull Requests through Action. Once the Pull Request is created for the original project, GitHub’s system will execute the attacker’s code.