As it turns out, some users have been using the Docker Hub auto-build feature to mine cryptocurrency—and it’s a pretty big deal for the company.
“It’s a recurring issue that we have seen a massive growth in, not only in terms of the number of bad actors but also in terms of their sophistication,” wrote Shaun Mulligan, principal product manager at Docker in a blog post. Essentially, crypto-mining gangs are running amok on free cloud compute platforms, and it costs providers a lot of money and degrades performance for paying customers.
The most nefarious actor is PURPLEURCHIN, which uses an automated script to create and run chrome instances on GitHub repositories and spawn a GitHub Action that runs the container image to mine Monero (XMR) for the attacker. Sysdig’s Threat Research Team uncovered more than 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts associated with the actor.
It’s an interesting example of a cloud equivalent of coupon fraud on a scale that is untraceable and profitable, but it’s something that isn’t going away anytime soon. This is especially true if CI/CD providers start charging, taking away their free tiers, or just flat-out stop providing them for free.