Researchers Detect Malicious npm Package Targeting GitHub-Owned Repositories

Researchers Detect Malicious npm Package Targeting GitHub-Owned Repositories

Posted on By CWS

Nov 11, 2025Ravie LakshmananSoftware Provide Chain / Malware
Cybersecurity researchers have found a malicious npm package deal named “@acitons/artifact” that typosquats the reputable “@actions/artifact” package deal with the intent to focus on GitHub-owned repositories.
“We predict the intent was to have this script execute throughout a construct of a GitHub-owned repository, exfiltrate the tokens out there to the construct atmosphere, after which use these tokens to publish new malicious artifacts as GitHub,” Veracode stated in an evaluation.
The cybersecurity firm stated it noticed six variations of the package deal – from 4.0.12 to 4.0.17 – that integrated a post-install hook to obtain and run malware. That stated, the newest model out there for obtain from npm is 4.0.10, indicating that the risk actor behind the package deal, blakesdev, has eliminated all of the offending variations.

The package deal was first uploaded on October 29, 2025, and has since accrued 31,398 weekly downloads. In whole, it has been downloaded 47,405 instances, in response to knowledge from npm-stat. Veracode additionally stated it recognized one other npm package deal named “8jfiesaf83” with comparable performance. It is now not out there for obtain, however it seems to have been downloaded 1,016 instances.
Additional evaluation of one of many malicious variations of the package deal has revealed that the postinstall script is configured to obtain a binary named “harness” from a now-removed GitHub account. The binary is an obfuscated shell script that features a examine to forestall execution if the time is after 2025-11-06 UTC.

It is also designed to run a JavaScript file named “confirm.js” that checks for the presence of sure GITHUB_ variables which can be set as a part of a GitHub Actions workflow, and exfiltrates the collected knowledge in encrypted format to a textual content file hosted on the “app.github[.]dev” subdomain.
“The malware was solely concentrating on repositories owned by the GitHub group, making this a focused assault towards GitHub,” Veracode stated. “The marketing campaign seems to be concentrating on GitHub’s personal repositories in addition to a person y8793hfiuashfjksdhfjsk which exists however has no public exercise. This person account might be for testing.”

The Hacker News Tags:, , , , , , ,

Related Posts

Ukrainian National Imprisoned for North Korea IT Fraud Ukrainian National Imprisoned for North Korea IT Fraud The Hacker News
A Look Inside Pillar’s AI Security Platform A Look Inside Pillar’s AI Security Platform The Hacker News
Google Uncovers PROMPTFLUX Malware That Uses Gemini AI to Rewrite Its Code Hourly Google Uncovers PROMPTFLUX Malware That Uses Gemini AI to Rewrite Its Code Hourly The Hacker News
ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access The Hacker News
Why the Identity Security Fabric is Essential for Securing AI and Non-Human Identities Why the Identity Security Fabric is Essential for Securing AI and Non-Human Identities The Hacker News
UNC1549 Hacks 34 Devices in 11 Telecom Firms via LinkedIn Job Lures and MINIBIKE Malware UNC1549 Hacks 34 Devices in 11 Telecom Firms via LinkedIn Job Lures and MINIBIKE Malware The Hacker News