dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

Researchers Detect Malicious npm Package Targeting GitHub-Owned Repositories

info@thehackernews.com (The Hacker News)
November 11, 2025
Cybersecurity researchers have discovered a malicious npm package named “@acitons/artifact” that typosquats the legitimate “@actions/artifact” package with the intent to target GitHub-owned repositories. “We think the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to the build environment, and then use those tokens to publish
Total
0
Shares
0
0
0

Cybersecurity researchers have discovered a malicious npm package named “@acitons/artifact” that typosquats the legitimate “@actions/artifact” package with the intent to target GitHub-owned repositories.

“We think the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to the build environment, and then use those tokens to publish new malicious artifacts as GitHub,” Veracode said in an analysis.

The cybersecurity company said it observed six versions of the package – from 4.0.12 to 4.0.17 – that incorporated a post-install hook to download and run malware. That said, the latest version available for download from npm is 4.0.10, indicating that the threat actor behind the package, blakesdev, has removed all the offending versions.

CIS Build Kits

The package was first uploaded on October 29, 2025, and has since accrued 31,398 weekly downloads. In total, it has been downloaded 47,405 times, according to data from npm-stat. Veracode also said it identified another npm package named “8jfiesaf83” with similar functionality. It’s no longer available for download, but it appears to have been downloaded 1,016 times.

Further analysis of one of the malicious versions of the package has revealed that the postinstall script is configured to download a binary named “harness” from a now-removed GitHub account. The binary is an obfuscated shell script that includes a check to prevent execution if the time is after 2025-11-06 UTC.

It’s also designed to run a JavaScript file named “verify.js” that checks for the presence of certain GITHUB_ variables that are set as part of a GitHub Actions workflow, and exfiltrates the collected data in encrypted format to a text file hosted on the “app.github[.]dev” subdomain.

“The malware was only targeting repositories owned by the GitHub organization, making this a targeted attack against GitHub,” Veracode said. “The campaign appears to be targeting GitHub’s own repositories as well as a user y8793hfiuashfjksdhfjsk which exists but has no public activity. This user account could be for testing.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

Russian hacker to plead guilty to aiding Yanluowang ransomware group

November 10, 2025
Next Post

CISO’s Expert Guide To AI Supply Chain Attacks

November 11, 2025
Related Posts
4 min

Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim ‘Korean Leaks’ Data Heist

South Korea's financial sector has been targeted by what has been described as a sophisticated supply chain attack that led to the deployment of Qilin ransomware. "This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet), leveraging Managed Service Provider (MSP)
info@thehackernews.com (The Hacker News)
November 26, 2025
Read More
2 min

Google Sues China-Based Hackers Behind $1 Billion Lighthouse Phishing Platform

Google has filed a civil lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against China-based hackers who are behind a massive Phishing-as-a-Service (PhaaS) platform called Lighthouse that has ensnared over 1 million users across 120 countries. The PhaaS kit is used to conduct large-scale SMS phishing attacks that exploit trusted brands like E-ZPass and USPS to
info@thehackernews.com (The Hacker News)
November 12, 2025
Read More
2 min

Years of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keys

New research has found that organizations in various sensitive sectors, including governments, telecoms, and critical infrastructure, are pasting passwords and credentials into online tools like JSONformatter and CodeBeautify that are used to format and validate code. Cybersecurity company watchTowr Labs said it captured a dataset of over 80,000 files on these sites, uncovering thousands of
info@thehackernews.com (The Hacker News)
November 25, 2025
Read More