In summary, yesterday, I was attacked by a github user that crafted a malicious github action to start a crypto-mining program inside an action run...
Some comments have been hidden by the post's author - find out more
For further actions, you may consider blocking this person and/or reporting abuse
dns.google is Google's public DNS server. They're just using its HTTP API to do a DNS lookup for
poolio.magratmail.xyz
and get its IP address. Although, since their script installedcurl
viaapt
, I wonder why they didn't just installdnsutils
and usenslookup
ordig
🤔It may be an easy way to avoid being stopped by a security tool watching outbound DNS traffic and flagging lookups to suspicious sites. .xyz is a suspicious TLD and
poolio.magratmail.xyz
may get flagged. The http request to dns.google is encrypted, you don't know what they're resolving by inspecting the wire.That's a great point! I didn't even consider that. Pretty clever if that's the case.
What strikes me on your screenshot: In GitHub's free plan, there is a limit of 20 concurrent jobs per starting user. Your screenshot shows that PR started exactly 20 jobs.
I was always thinking that for a pull request, the user who submitted the pull request counts as the starting user, not the user whose repo is receiving the pull request? So there would not be any incentive to create a pull request instead of running the actions in their own fork.
Or are you using some custom runners, not the ones provided by GitHub?
No I'm not running custom runners.
This is very good remark...
Do you want to try? Parallel runners
Yes, I wanted to try and the results surprised me. Opened a discussion at github.community/t/whose-concurren...
Can you explain the relationship with your wife on the phone and you couldn't access your computer? Are you still living in 1998 and can't have internet AND the phone at the same time? :D
(if yes look out for The Matrix, a cool movie that will come out next year!)
Ahah you don't get the logic 😁 because of the call I had to pause the serie because we are watching together. Anyway, I edited the post to make it clearer 😜
I pray for next year to be 1998 😃 since a must have album from a French rap band IAM was just released, this is also the year where French football team won its first world cup and since as you mentioned Matrix was about to be released 👍
(but after get me back in 2021 please)
Ah ouais, clairement le meilleur album rap de tous les temps ;)
One of my repo got attacked yesterday. I am glad that I turned off my ec2 runner the night before. Not being able to sleep part is a real deal. I disabled all my actions on all my public repo's until this gets resolved. Even though it impacts github infra and not the users or their code, I love github services and community. I was looking for a way to restrict workflow changes. (did not found anything yet)
I really enjoyed reading your post. 😀
Dude, I love your poor man's Qube OS :D
One of those more significant trends is described as a crypto-mining attack where someone submits a PR infected with code to mine in GitHub Actions. CI/CD-based crypto-mining attack: This is the type of attack where malicious actors take advantage of repositories' CI/CD workflows to execute illicit cryptocurrency mining scripts that utilize the project's resources for illegal mining. One may submit a pull request, and using the GitHub Actions that automatically runs a workflow for every PR, one can add crypto-mining code into it. It is draining resources and, on the same note, a security risk as well.
waterfall.network/individuals#stat... To help mitigate these attacks, repository owners can require stricter permissions, review workflow files carefully before use, or consider using tools like secret scanning and dependency review. For further information and cyber-attacks stats, please visit this site. With the threat landscape becoming more complex, staying prepared and making use of advanced security solutions is essential to stay safe.
idk if this will help, but "y4ndex" in his nickname means Yandex, which is a Russian search engine. If he's a hater of this, maybe he's somewhere near that region.