The popular source code storage service GitHub is investigating a series of attacks on its cloud infrastructure. Cybercriminals were able to infiltrate the company’s servers and use them for cryptomining. The press secretary of the service told The Record resource.

The attacks began in the fall of 2020 and were carried out through GitHub Actions, a service feature that allows users to automatically complete tasks and workflows when a certain event occurs in one of their GitHub repositories.

Dutch security engineer Justin Perdok told The Record that at least one of the attacks involves sending Pull Requests to make unwanted changes to other people’s repositories. The engineer noted that the attackers are targeting the owners of such GitHub projects, which process Pull Requests automatically, rather than manually.

As soon as such a malicious request is submitted, the GitHub system reads the attacker’s code and launches a virtual machine, which in turn downloads and runs cryptocurrency mining software on the GitHub infrastructure. Mr. Pedok noted that he was faced with the launch of up to a hundred cryptocurrency miners with just one attack – this created a huge computational load on the GitHub infrastructure.

Attacks, according to the specialist, occur randomly and on a large scale. He has identified at least one account making Pull Requests containing malicious code. At the same time, such activity of cybercriminals has been observed since at least November 2020, when a French software engineer reported the first case.

In an email to reporters, GitHub said it is aware of the activity and is actively investigating it – the same service reported to a French engineer last year. Nevertheless, the company seems to be just blocking the accounts of the attackers, and they are registering new ones. At the moment, the attack does not harm users’ projects and seems to focus solely on the abuse of the GitHub infrastructure.