Researchers Detect Malicious npm Package Targeting GitHub-Owned Repositories

Researchers Detect Malicious npm Package Targeting GitHub-Owned Repositories

Posted on By CWS

Nov 11, 2025Ravie LakshmananSoftware Provide Chain / Malware
Cybersecurity researchers have found a malicious npm package deal named “@acitons/artifact” that typosquats the reputable “@actions/artifact” package deal with the intent to focus on GitHub-owned repositories.
“We predict the intent was to have this script execute throughout a construct of a GitHub-owned repository, exfiltrate the tokens out there to the construct atmosphere, after which use these tokens to publish new malicious artifacts as GitHub,” Veracode stated in an evaluation.
The cybersecurity firm stated it noticed six variations of the package deal – from 4.0.12 to 4.0.17 – that integrated a post-install hook to obtain and run malware. That stated, the newest model out there for obtain from npm is 4.0.10, indicating that the risk actor behind the package deal, blakesdev, has eliminated all of the offending variations.

The package deal was first uploaded on October 29, 2025, and has since accrued 31,398 weekly downloads. In whole, it has been downloaded 47,405 instances, in response to knowledge from npm-stat. Veracode additionally stated it recognized one other npm package deal named “8jfiesaf83” with comparable performance. It is now not out there for obtain, however it seems to have been downloaded 1,016 instances.
Additional evaluation of one of many malicious variations of the package deal has revealed that the postinstall script is configured to obtain a binary named “harness” from a now-removed GitHub account. The binary is an obfuscated shell script that features a examine to forestall execution if the time is after 2025-11-06 UTC.

It is also designed to run a JavaScript file named “confirm.js” that checks for the presence of sure GITHUB_ variables which can be set as a part of a GitHub Actions workflow, and exfiltrates the collected knowledge in encrypted format to a textual content file hosted on the “app.github[.]dev” subdomain.
“The malware was solely concentrating on repositories owned by the GitHub group, making this a focused assault towards GitHub,” Veracode stated. “The marketing campaign seems to be concentrating on GitHub’s personal repositories in addition to a person y8793hfiuashfjksdhfjsk which exists however has no public exercise. This person account might be for testing.”

The Hacker News Tags:, , , , , , ,

Related Posts

OpenAI to Show Ads in ChatGPT for Logged-In U.S. Adults on Free and Go Plans OpenAI to Show Ads in ChatGPT for Logged-In U.S. Adults on Free and Go Plans The Hacker News
Unpatched Gogs Zero-Day Exploited Across 700+ Instances Amid Active Attacks Unpatched Gogs Zero-Day Exploited Across 700+ Instances Amid Active Attacks The Hacker News
Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities The Hacker News
Ransomware Defense Using the Wazuh Open Source Platform Ransomware Defense Using the Wazuh Open Source Platform The Hacker News
China-Linked Cyber Threats Target Southeast Asian Government China-Linked Cyber Threats Target Southeast Asian Government The Hacker News
AI Agents Run on Secret Accounts — Learn How to Secure Them in This Webinar AI Agents Run on Secret Accounts — Learn How to Secure Them in This Webinar The Hacker News