Cybersecurity Alert: Malicious NPM Package Targets GitHub Repositories

Cybersecurity researchers have flagged a malicious npm package named "@acitons/artifact" that typosquats the legitimate package "@actions/artifact." The intent of this malicious package is reportedly to target GitHub-owned repositories.

According to Veracode, the cybersecurity company that analyzed the package, the script embedded in the package was designed to execute during a GitHub build process, exfiltrating the available tokens in the build environment.

These tokens could then be used to publish new malicious artifacts as if they originated from GitHub. The malicious package had six versions, ranging from 4.0.12 to 4.0.17, which included a post-install hook that would download and run malware.

However, the latest version available for download was 4.0.10, suggesting that the threat actor, known as blakesdev, removed the offending versions after being discovered. The package was first uploaded on October 29, 2025, and has been downloaded over 47 thousand times, garnering 31,398 weekly downloads.

Veracode also identified a second npm package, "8jfiesaf83," which exhibited similar malicious functionality but is no longer available for download after accruing 1,016 downloads. Further examination showed that the post-install script was set to download a binary named "harness" from a now-removed GitHub account.

This binary was an obfuscated shell script designed to check for the presence of certain GITHUB_ variables associated with GitHub Actions workflows, and it would exfiltrate this data in an encrypted format to a text file hosted on the "app.github[.]dev" subdomain.

The targeting of GitHub repositories indicates a deliberate attack strategy. In a statement, a GitHub spokesperson confirmed that the identified packages were part of a "tightly controlled exercise" conducted by GitHub's Red Team.

They emphasized that GitHub regularly conducts Red Team exercises to test its security measures and stated that at no point were GitHub systems or data at risk. The spokesperson’s comments suggest that this incident may not be as alarming as it seems, framing it instead as a proactive security measure.

This situation underscores the ongoing challenges developers face in maintaining secure codebases, particularly with the rise of typosquatting and other malicious tactics aimed at infiltrating software supply chains.

As developers increasingly rely on npm packages, vigilance in software security has never been more crucial. The incident serves as a reminder of the importance of scrutinizing dependencies and remaining aware of potential security threats in open-source ecosystems.