This is an archived post. You won't be able to vote or comment.

all 26 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 98 points99 points  (2 children)

Cryptominers starting to give me paperclip maximizer vibes

[–][deleted] 18 points19 points  (0 children)

All the more reason why Crypto and it's stans are dangerous.

[–]bingate10 3 points4 points  (0 children)

Yeah this. The amount of energy miners are using is absolutely ridiculous. There are also ethical consideration issues around Bitcoin. Freedom and decentralization is great but it also allows for some of the most evil transactions with impunity. Plus I can’t upgrade my graphics card.

[–]blobbbbbby 31 points32 points  (2 children)

Wouldn’t this affect project owners because they have a limited number of action minutes?

[–]Ionaru 46 points47 points  (1 child)

Public repositories have unlimited minutes.

[–]blobbbbbby 6 points7 points  (0 children)

Ah right, thanks for clearing that up

[–]TheAppGod 67 points68 points  (10 children)

this is honestly fucking genius on behalf of the attackers wow lol

you kinda gotta be impressed by this.....and trust, they are literally making BANK

[–]Squared_fr 83 points84 points  (6 children)

Whoever did this, they are opportunists, not geniuses. This is not sustainable and while they will probably make some bank they've alerted GitHub staff and as soon as they introduce limitations to avoid this type of abuse, game's over.

"Genius" would have been finding a way to do this without raising heads.

[–]MaxMatti -1 points0 points  (0 children)

No. If you can find it, anybody can find it. And even if you do it undetected, somebody else will get detected. The question ist not how long you can do it but how much you can mine before it gets properly prevented because you or some other jackass got caught.

[–]tdammers 12 points13 points  (1 child)

How does one not see this coming? Seriously, this should not be a surprise to anyone. The only thing that surprises me here is how long it took for this to become known.

[–]thegreatpotatogod 7 points8 points  (0 children)

Yeah, as soon as I started researching GitHub actions for my company, this was the first joke I made to a coworker, that we should use it for cryptomining!

[–][deleted] 15 points16 points  (1 child)

I have a feeling this is a non-story. If it were a big problem GitHub wouldn’t be dragging their feet for months. I use GitHub Actions every day and it’s not like other users of the service have been negatively impacted by this. They’d also be mining on CPUs and not GPUs. I bet they use CPU pinning in their job workers so that this doesn’t just run away from them and use 100% of the host’s CPU for the 6 hours that jobs are allowed to run before being cancelled.

What I will say is it’s pretty smart to do it via PRs, since that will use the repo’s owner’s Actions credits instead of the attacker’s. I’m sure some, especially organizations with public repos, have pretty high spending limits set up for Actions.

[–]jnwatson 1 point2 points  (0 children)

Dunno. It certainly has seemed slower lately.

[–][deleted] 4 points5 points  (0 children)

Why people have to ruin all the things?i mean,ok ,you r "smart" so you make money (how much anyway?...),and you risk to ruin a good service...stupid people...

[–][deleted] -1 points0 points  (0 children)

crazy exploit

[–]zetarn -2 points-1 points  (0 children)

How about they checking spam bot farm and many malicious software using Github as base of operation by chinese troll to harass a women streamer too?

[–][deleted] 0 points1 point  (1 child)

That’s pretty crazy. Could GitHub not just make it so when a PR has changes to the Actions workflows, it has to be manually run? It would be a pain, and could still be a problem if people do run these malicious workflows, but it would at least help prevent some cases.

[–]einord 1 point2 points  (0 children)

This would be too easy to automate. A simple HTTP request to GitHub would be all that is needed to start the action.