Computing

Researchers Detect Malicious npm Package Targeting GitHub-Owned Repositories

News Room
News Room
Researchers Detect Malicious npm Package Targeting GitHub-Owned Repositories

Nov 11, 2025Ravie LakshmananSoftware Supply Chain / Malware

Cybersecurity researchers have discovered a malicious npm package named “@acitons/artifact” that typosquats the legitimate “@actions/artifact” package with the intent to target GitHub-owned repositories.

“We think the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to the build environment, and then use those tokens to publish new malicious artifacts as GitHub,” Veracode said in an analysis.

The cybersecurity company said it observed six versions of the package – from 4.0.12 to 4.0.17 – that incorporated a post-install hook to download and run malware. That said, the latest version available for download from npm is 4.0.10, indicating that the threat actor behind the package, blakesdev, has removed all the offending versions.

DFIR Retainer Services

The package was first uploaded on October 29, 2025, and has since accrued 31,398 weekly downloads. In total, it has been downloaded 47,405 times, according to data from npm-stat. Veracode also said it identified another npm package named “8jfiesaf83” with similar functionality. It’s no longer available for download, but it appears to have been downloaded 1,016 times.

Further analysis of one of the malicious versions of the package has revealed that the postinstall script is configured to download a binary named “harness” from a now-removed GitHub account. The binary is an obfuscated shell script that includes a check to prevent execution if the time is after 2025-11-06 UTC.

It’s also designed to run a JavaScript file named “verify.js” that checks for the presence of certain GITHUB_ variables that are set as part of a GitHub Actions workflow, and exfiltrates the collected data in encrypted format to a text file hosted on the “app.github[.]dev” subdomain.

“The malware was only targeting repositories owned by the GitHub organization, making this a targeted attack against GitHub,” Veracode said. “The campaign appears to be targeting GitHub’s own repositories as well as a user y8793hfiuashfjksdhfjsk which exists but has no public activity. This user account could be for testing.”

Share This Article
Previous Article Booze Without the Burn? An Enzyme-Tinkering Startup Aims to Make Spirits Smoother Booze Without the Burn? An Enzyme-Tinkering Startup Aims to Make Spirits Smoother
Next Article 'Fallen Astronaut' book snatched up by Apple TV ahead of auction 'Fallen Astronaut' book snatched up by Apple TV ahead of auction
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Latest News

If You Have An iPhone 17 Pro, You Might Be Using The Camera App Wrong – BGR
If You Have An iPhone 17 Pro, You Might Be Using The Camera App Wrong – BGR
News
Snapchat is letting subscribers revive their 2D Bitmojis
Snapchat is letting subscribers revive their 2D Bitmojis
News
Rivian CEO Lands a Musk-esque .6 Billion Pay Package | HackerNoon
Rivian CEO Lands a Musk-esque $4.6 Billion Pay Package | HackerNoon
Computing
Free Live Class: iPhone Fundamentals Registration Confirmation
News
Lost your password?