Cybercriminals have infiltrated the code-hosting platform’s server infrastructure to use its resources for illicit cryptocurrency mining. The information comes from a report published by The Record, whose team confirmed the story with a GitHub spokesperson.
The electronic break-ins started in the fall of 2020 but were first discovered in November by a French software engineer. These intrusions revolve around abusing a GitHub feature called GitHub Actions. It allows users to automatically execute processes and workflows when specific events occur in their repositories. Hackers would fork a repository (make a copy of it used for testing without affecting the original code), insert the malicious code, and initiate a pull request with the original repository. The pull request would, if approved, merge the modified code with the original code.
The problem is that repository owners didn’t even have to approve the pull request for the break-in to happen. As soon as the request was filed, GitHub would read the hacker’s code which would launch a virtual machine for downloading and running cryptocurrency mining software.
According to Dutch engineer Justin Perdok, the hackers would activate up to 100 crypto miners in a single break-in. Perdok himself saw his projects abused in this way. The intruders seemed to target specifically GitHub project owners who had automated workflows set up. These intrusions would not damage user repositories in any way, nor would they utilize user resources for their mining operations. Instead, they abused the GitHub server infrastructure and its computational power to mine cryptocurrencies for free.
In an email correspondence with The Record, the GitHub spokesperson said they were aware of the issue and actively investigating. However, no permanent solution has been found so far. Instead, the company is currently trying to identify the compromised accounts and remove them from the platform.