Coin miner breach?


#1

I’we just noticed that there is a coin miner running on my CircleCI setup!

https://circleci.com/gh/msvrtan/cqrs1/72

I cant figure out how it got to run since my project has no PR’s, has no forks, not branch named pull/2 but this is running on my CircleCI


#2

+1

I also got an email from circle ci saying i should “Disable permissive forked PR builds” which i havent ever enabled.

I would also very much like to know how to avoid that


#3

Looks like we’re being hit by the same malicious GitHub user. I reported them for abuse today after one of my projects was flagged. Seems the account is dedicated to forking assorted repos to misuse CircleCI.

The pull requests not really existing makes me think they’re exploiting a bug in the GitHub API, but I’ll see what they say.


#4

Hello!

Thank you for reaching out about this issue. We’re aware and working through it now.

If you haven’t could you please send an email to support@circleci.com?


#5

We are not currently receiving the support we’ve come to expect from Circle. I understand that it appears you have discovered a potentially rather frightening vulnerability and that you need to evaluate thoroughly before posting a public post-mortem.

However, here’s the situation we’re in now:

  • Forked builds are not being created at all. We received no warning that this would happen and discovered it only by accident when triaging PRs on GitHub.
  • Support staff took 3 hours for the first reply, indicating only that there was a bug fixed (without explanation) and that I can revert the functionality by enabling permissive forked PR builds.
  • We need builds that do not expose environment variables and these builds apparently no longer happen. I’m still not understanding why because your support staff has not clarified.
  • After raising further concerns asking for explicit details as to the bug, possible vulnerabilities, and steps I should take now on my end, I received a pretty blasé “we understand your concerns” reply with no additional details, no timeline, and no promise of further follow-up by an actual support engineer.

As a result, I’m now standing idly by wondering whether we should roll keys or other sensitive information or what other steps we must take to protect ourselves and our data.

We’ve been left hanging without any insight whatsoever. Please address these concerns – if not in public, at least with your customers who are begging for you to address them.


#6

We have been in touch directly with Josh (and all affected customers) since this post.

The issue being discussed is complex so we haven’t published a public post-mortem yet. Please don’t hesitate to contact us directly if you have any more concerns.


#7

Where can I find the public post-mortem for this?


#8