GitHub is investigating a series of attacks in which attackers managed to organize cryptocurrency mining in the GitHub cloud infrastructure using the GitHub Actions mechanism to run their code. The first attempts to use GitHub Actions for mining date back to November last year.
GitHub Actions allows code developers to attach handlers to automate various actions on GitHub. For example, using GitHub Actions, you can perform certain checks and tests when making commits or automate the processing of new Issues. To start mining, the attackers create a fork of the repository that uses GitHub Actions, add new GitHub Actions to their copy, and send a pull request to the original repository offering to replace the existing GitHub Actions handlers with the new β.github/workflows/ci.ymlβ handler.
A malicious pull request spawns multiple attempts to launch the GitHub Actions handler specified by the attacker, which after 72 hours is interrupted due to a timeout, fails, and then starts again. To attack, an attacker only needs to create a pull request - the handler starts automatically without any confirmation or participation from the maintainers of the original repository, who can only replace suspicious activity and stop already running GitHub Actions jobs.
In the ci.yml handler added by the attackers, the βrunβ parameter contains obfuscated code (eval β$(echo 'YXB0IHVwZGF0ZSAtβ¦' | base64 -dβ), which, when executed, tries to download and run the mining program. In the first attack options from different repositories a program called npm.exe was uploaded to GitHub and GitLab and built as an ELF executable for Alpine Linux (used in Docker images) In newer forms of attack, a generic XMRig miner code is downloaded from the official project repository, which is then built with address substitution wallet and servers for sending data.
Source: opennet.ru