On April 3, 2021, several tech portals announced that GitHub Actions, the technology for continuous integration and deployment on GitHub, was being maliciously used to mine cryptocurrencies.
What are GitHub actions?
GitHub Actions is the solution that allows you to establish periodic (or activated in certain circumstances) tasks to perform automations for our software flow.
In a simplified way, virtual machines are used to perform these tasks. These tasks make it possible to verify that the code in question compiles correctly, runs all the unit tests defined in a project … or, as it happened, undermines cryptocurrencies.
What is the problem?
Anyone can have a repository with personal or professional projects. Also, anyone can collaborate with these repositories by contributing their own code. Generally, these collaborations suppose the correction of a bug in the code, the addition to the documentation, the contribution of new functionalities ideas … via a PR or pull request.
If you’re using GitHub actions or enabling them in your repository, the most natural thing is that when a pull request is opened (or a collaboration from someone outside of the repository in question), that action is enabled and executed. some tasks in the GitHub infrastructure… and that’s where the mining happens.
At best, this person does not have bad intentions and may not even be aware of what is going on. This is because for this attack to be successful, no action is required on the part of the person responsible for the repository.
One of my repos just suffered a similar attack. The account in question has a bunch of other open PRs that currently have miners running. https://t.co/PZxApykuO9 pic.twitter.com/zugl7mFK0K
– Justin Perdok (@JustinPerdok) April 2, 2021
According to the capture provided in the previous tweet, at least 95 repositories had been affected so far.
This abusive use of pull requests on GitHub ends up penalizing the person who owns or manages this repository. The reason is that as a result of these actions, the accounts associated with the owner can be blocked.
What’s going to happen?
The GitHub team is aware of the issue and has already started making decisions, including:
When an Action execution is suspicious or confirmed to be malicious, the consequences will be directed to the attacker and the repository from which the malicious code is stored. When a person’s first pull request occurs on a specific repository, manual approval will be required for performing actions that would normally be performed with someone who has been proven to be trustworthy and positively contributes to the process. repository.
With these actions, the automated flow of CIs and CDs can be slowed down a bit, but it helps prevent such abuse easily and effectively.
Will these actions be enough? How will they surprise us in the future about cryptocurrency mining?
Until the next article, Microsofters!