Hackers exploit GitHub, Heroku and Buddy services to mine crypto

October 27, 2022

The threat actor behind a malicious campaign called “Purpleurchin” is exploiting free GitHub, Heroku and Buddy services to mine crypto at the provider’s expense.

The malicious campaign, described as automated and large-scale “freejacking,” relies on exploiting the limited resources offered to free-tier cloud accounts to make a tiny profit from each account.

The cryptocurrency chosen by the threat actors is only marginally profitable, and researchers believe that the operation is either in an early experimental phase or trying to take control of blockchains by creating a network control majority of 51%.

The attacker uses CI/CD service providers such as GitHub (300 accounts), Heroku (2,000 accounts), and Buddy.works (900 accounts) to carry out over a million function calls daily. Attackers rotate the use of these accounts over 130 Docker Hub images with mining containers. To remain undetected, Purpleurchin disguises the attack process at all operational levels.

Investigating Purpleurchin’s operation, the researchers identified a linuxapp container ‘) as the core of its operation. The container acts as a command-and-control server (C2) and Stratum server that coordinates all active mining agents and directs them to the threat actor’s mining pool.

To automate the creation of GitHub accounts, create a repository, and replicate the workflow using GitHub actions, a shell script (‘userlinux8888’) is used. All GitHub are obfuscated using random strings for the names.

The sources for this piece include an article in BleepingComputer.

Top Stories

Related Articles

June 9, 2026 Hackers exploited Meta’s AI-powered support chatbot to gain control of Instagram accounts, including several high-profile profiles. Meta more...

June 5, 2026 Security researchers have disclosed a new denial-of-service attack called HTTP/2 Bomb that can overwhelm major web servers more...

May 20, 2026 The Cybersecurity and Infrastructure Security Agency, the arm of the U.S. government tasked with protecting critical infrastructure more...

May 11, 2026 Instructure has restored access to its Canvas learning platform after a cyberattack disrupted service for universities and more...

Jim Love

Jim is an author and podcast host with over 40 years in technology.

Share:
Facebook
Twitter
LinkedIn