Someone Is Trying to Sneak Bitcoin Mining Code Into Open Source Software
There have been some pretty creative attempts to mine bitcoins using unconventional means over the years, from lightbulbs to web browsers. But now, there appears to be a new, and malicious, method: Sneaking bitcoin mining code into open source software.
If successful, this attack would mean that anyone downloading open source software implanted with bitcoin mining code could be unwittingly expending computing power and electricity to generate bitcoins, presumably for someone else. A single bitcoin is worth more than $1,000 USD at the time of writing.
Here's what we know. Over the weekend, Russian open source developer Alexey Palazhchenko tweeted that his online code repository had received a request to add code to his project from a mysterious account on GitHub, a site for developers to code together.
"There are few people contributing [to my project] and I want to increase that number, so at first I was happy—wow, a new contributor, totally out of blue, not someone I asked to contribute," Palazhchenko wrote me over email.
But when he clicked on the account, he saw that it had already been banned by GitHub. This is when he became suspicious, he wrote.
Pull requests are the mechanism that developers use to request that their code be added to a project and need to be approved by the main coder. "There is no way I would accept it. [The] codebase is small, totally from a different area," he wrote. Basically, his project was small and had nothing to do with bitcoin, and so the request stuck out.
Palazhchenko took his issue to the developer chatroom for people using Drone, a continuous integration tool that allows developers to constantly update their code piece-by-piece, letting them analyze each update for bugs and other issues.
In the chat, Drone co-founder Brad Rydzewski wrote that the pull request was likely a bot trying to surreptitiously add code (all [ sic]):
"a few years back a bunch of bitcoin miners started scripting the creation of github and drone user id's and scheduling bogus commits that started jobs to mine bitcoins ... so I got really good at diagnosing these sorts of things."
Rydzewski didn't respond to Motherboard's request for comment. Motherboard reached out to GitHub for confirmation that the account in question was a bot designed to insert bitcoin mining code into open source projects, if GitHub indeed banned it and if they've banned similar bots.
"Our team is aware of this and has disabled the corresponding repositories," spokesperson for GitHub wrote in an emailed statement. "We're actively working with the [continuous integration] community to detect and combat these issues."
The idea of having code sneakily added to your software isn't nice, but the good news is that the owners of the codebase have to approve these shady pull requests. If you don't do that, then you won't have a problem. But while the risk for Palazhchenko was small due to the size of his code, other open source projects may have to be (slightly) more vigilant.
"It may be easier to do it with some bitcoin-related code with large codebase," Palazhchenko wrote, "but I doubt it."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.