Some of you may be aware of "continues integration" approach in software development. One of tool used for that could be - for example - GitHub Actions. Server takes software code and launches build, tests etc, to see if new development did not break anything. That's theory. What if someone would add "one more extra task" to be performed on the server side?
The Sysdig Threat Research Team (Sysdig TRT) recently uncovered an extensive and sophisticated active cryptomining operation and called that PURPLEURCHIN - more details there:
https://sysdig.com/blog/massive-cryptomining-operation-github-actions/