While scrolling through my GitHub feed I noticed a recent fork (5 hours ago) of a repo of mine.
Nothing so weird so far.
Out of curiosity I checked if the user wanted to make a decent PR and improve something in the code.
The user in fact made a new commit on their fork and added a new file. A new GitHub action.
Let me explain what happened.
Update: the 2 links below are unavailable since I reported the user and GitHub took action
- this is the pull request
- in the “Files changed” tab you can clearly see that this is a mining attack abusing GitHub Actions
- I don’t think this is directly harmful to the end-user, although it’s still shady af
This new user (account age is a few hours) forked one of my repos.
They opened a shady PR containing the following changes:
They only added a new GitHub Actions workflow, named
Rowr.yml that ran a mining script for 5 hours in a 20 job build matrix.
Here is the joyful script mining away
Another thing I noticed was that they opened and closed the PR three times, to trigger multiple builds
Prevention of such abuse?
Surely reporting the user doesn’t hurt. Although it won’t stop throw-away accounts to pop up and plant malicious code in GitHub actions.
Another maybe more effective measure you can take is to change the GitHub actions permissions to “Allow local actions only”.
I think this means that new GitHub actions that are added through a PR, won’t be automatically run, but only if you merge the PR:
Similar news elsewhere
Just found out that there is a new setting available on GitHub!
The setting is disabled by default, and that’s solving the issue described above.