Azure VMs and GitHub vector for a new crypto mining campaign

Azure VM Virtual Machine GitHub Attack Vector Cyypto Mining

Researchers revealed a cloud-based crypto mining campaign that targets GitHub Actions and the Azure Virtual Machines. This cryptocurrency attack targets repositories and code samples to target users of the earlier mentioned entities.

The report on these new observations indicates that more than a thousand repositories and over 500 code samples were observed exploiting the GitHub Actions to mine cryptocurrency using the runners given by GitHub.

The threat actors also utilise Windows runners hosted on Azure to execute a crypto mining operation. The operation adopts several persistence techniques to stay obfuscated from GitHub and stop its actions from being deactivated.

The malicious threat actors commonly input the cloud deployments by abusing a security vulnerability in the landscape, such as unpatched flaws, misconfigured cloud implementations, or the gold old fashion incompetent credentials.


GitHub’s runners have given the crypto mining attack a chance to navigate its targets.


The crypto mining operators exploited the runners given by GitHub to operate an organisation’s pipelines and automation by maliciously installing miners. The Windows and Linux runners were hosted on Azure and contained two vCPUs and approximately seven gigabytes of memory.

Furthermore, researchers examined a different GHA YAML script found on GitHub, trying to mine different kinds of cryptocurrency.

Researchers elaborated that the performance of an infrastructure compromised with a miner shows signs of slowing down, unlike its post-infection behaviour. To prove to the host that the attack impacts an organisation, the analysts launched the XMRig on one of its systems, increasing CPU usage from an average of 13%.

Due to infection, the amount of electricity to targeted organisations spiked from $20 to over a hundred dollars per month. The more concerning part is that this electricity is only under a single cloud instance.

Cybersecurity experts expect that organisations should now consistently monitor their GitHub Actions to identify any signs of exploit. This method could allow an organisation to identify the abuse before it gets worse or cause any damage. Lastly, all cryptocurrency wallets should be present in GHA.

About the author

Leave a Reply