Cybersecurity researchers have discovered a malicious npm package named “@acitons/artifact” that typosquats the legitimate “@actions/artifact” package in order to target repositories owned by GitHub.
“We believe the purpose was to run this script during the build of a GitHub-owned repository, extract tokens available in the build environment, and use those tokens to publish new malicious artifacts as GitHub,” Veracode said in its analysis.
The cybersecurity company said it observed six versions of the package (4.0.12 to 4.0.17) that included post-installation hooks to download and execute malware. However, the latest version available for download from npm is 4.0.10, indicating that blakesdev, the threat actor behind the package, has removed all versions in question.
This package was first uploaded on October 29, 2025 and has been downloaded 31,398 times every week since then. According to data from npm-stat, it has been downloaded a total of 47,405 times. Veracode also said it has identified another npm package named “8jfiesaf83” with similar functionality. Although it is no longer available for download, it appears to have been downloaded 1,016 times.
Further analysis of one of the malicious versions of the package revealed that the post-installation script was configured to download a binary named “harness” from a now-deleted GitHub account. This binary is an obfuscated shell script that contains a check to prevent execution if the time is after November 6, 2025 UTC.
It is also designed to run a JavaScript file named ‘verify.js’. This file checks for the presence of certain GITHUB_ variables that are configured as part of the GitHub Actions workflow and extracts the collected data in encrypted format to a text file hosted at ‘app.github’.[.]dev” subdomain.
“The malware targeted only repositories owned by the GitHub organization, making this a targeted attack against GitHub,” Veracode said. “This campaign appears to be targeting GitHub’s own repositories and user y8793hfiuashfjksdhfjsk, who exists but has no publishing activity. This user account may be for testing purposes.”
Source link
