Software developers have reported a series of malicious activities on their repositories, having the end purpose of mining cryptocurrency. The attacks have been happening since November 2020, the first report being made by a French software engineer.
It looks like the threat actors are abusing the GitHub Actions feature that was implemented with the purpose of allowing automatic execution of software workflows.
The threat actors seem to be targeting repositories that have this specific feature enabled in order to be able to add malicious GitHub Actions and fill Pull Requests that will later help them execute malicious attacker code.
In a phone call today, Dutch security engineer Justin Perdok told The Record that at least one threat actor is targeting GitHub repositories where Actions might be enabled. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original.
But the attack doesn’t rely on the original project owner approving the malicious Pull Request. Just filing the Pull Request is enough for the attack, Perdok said.
Interestingly enough is the fact that in the most recent ..
Support the originator by clicking the read the rest link below.
