Nov 11, 2025Ravie LakshmananSoftware Provide Chain / Malware
Cybersecurity researchers have found a malicious npm package deal named “@acitons/artifact” that typosquats the reputable “@actions/artifact” package deal with the intent to focus on GitHub-owned repositories.
“We predict the intent was to have this script execute throughout a construct of a GitHub-owned repository, exfiltrate the tokens out there to the construct atmosphere, after which use these tokens to publish new malicious artifacts as GitHub,” Veracode stated in an evaluation.
The cybersecurity firm stated it noticed six variations of the package deal – from 4.0.12 to 4.0.17 – that integrated a post-install hook to obtain and run malware. That stated, the newest model out there for obtain from npm is 4.0.10, indicating that the risk actor behind the package deal, blakesdev, has eliminated all of the offending variations.
The package deal was first uploaded on October 29, 2025, and has since accrued 31,398 weekly downloads. In whole, it has been downloaded 47,405 instances, in response to knowledge from npm-stat. Veracode additionally stated it recognized one other npm package deal named “8jfiesaf83” with comparable performance. It is now not out there for obtain, however it seems to have been downloaded 1,016 instances.
Additional evaluation of one of many malicious variations of the package deal has revealed that the postinstall script is configured to obtain a binary named “harness” from a now-removed GitHub account. The binary is an obfuscated shell script that features a examine to forestall execution if the time is after 2025-11-06 UTC.
It is also designed to run a JavaScript file named “confirm.js” that checks for the presence of sure GITHUB_ variables which can be set as a part of a GitHub Actions workflow, and exfiltrates the collected knowledge in encrypted format to a textual content file hosted on the “app.github[.]dev” subdomain.
“The malware was solely concentrating on repositories owned by the GitHub group, making this a focused assault towards GitHub,” Veracode stated. “The marketing campaign seems to be concentrating on GitHub’s personal repositories in addition to a person y8793hfiuashfjksdhfjsk which exists however has no public exercise. This person account might be for testing.”
