dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

Researchers Detect Malicious npm Package Targeting GitHub-Owned Repositories

info@thehackernews.com (The Hacker News)
November 11, 2025
Cybersecurity researchers have discovered a malicious npm package named “@acitons/artifact” that typosquats the legitimate “@actions/artifact” package with the intent to target GitHub-owned repositories. “We think the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to the build environment, and then use those tokens to publish
Total
0
Shares
0
0
0

Cybersecurity researchers have discovered a malicious npm package named “@acitons/artifact” that typosquats the legitimate “@actions/artifact” package with the intent to target GitHub-owned repositories.

“We think the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to the build environment, and then use those tokens to publish new malicious artifacts as GitHub,” Veracode said in an analysis.

The cybersecurity company said it observed six versions of the package – from 4.0.12 to 4.0.17 – that incorporated a post-install hook to download and run malware. That said, the latest version available for download from npm is 4.0.10, indicating that the threat actor behind the package, blakesdev, has removed all the offending versions.

CIS Build Kits

The package was first uploaded on October 29, 2025, and has since accrued 31,398 weekly downloads. In total, it has been downloaded 47,405 times, according to data from npm-stat. Veracode also said it identified another npm package named “8jfiesaf83” with similar functionality. It’s no longer available for download, but it appears to have been downloaded 1,016 times.

Further analysis of one of the malicious versions of the package has revealed that the postinstall script is configured to download a binary named “harness” from a now-removed GitHub account. The binary is an obfuscated shell script that includes a check to prevent execution if the time is after 2025-11-06 UTC.

It’s also designed to run a JavaScript file named “verify.js” that checks for the presence of certain GITHUB_ variables that are set as part of a GitHub Actions workflow, and exfiltrates the collected data in encrypted format to a text file hosted on the “app.github[.]dev” subdomain.

“The malware was only targeting repositories owned by the GitHub organization, making this a targeted attack against GitHub,” Veracode said. “The campaign appears to be targeting GitHub’s own repositories as well as a user y8793hfiuashfjksdhfjsk which exists but has no public activity. This user account could be for testing.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

Russian hacker to plead guilty to aiding Yanluowang ransomware group

November 10, 2025
Next Post

CISO’s Expert Guide To AI Supply Chain Attacks

November 11, 2025
Related Posts
3 min

New Malware Campaign Delivers Remcos RAT Through Multi-Stage Windows Attack

Cybersecurity researchers have disclosed details of a new campaign dubbed SHADOW#REACTOR that employs an evasive multi-stage attack chain to deliver a commercially available remote administration tool called Remcos RAT and establish persistent, covert remote access. "The infection chain follows a tightly orchestrated execution path: an obfuscated VBS launcher executed via wscript.exe invokes a
info@thehackernews.com (The Hacker News)
January 13, 2026
Read More
2 min

Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions

The Eclipse Foundation, which maintains the Open VSX Registry, has announced plans to enforce security checks before Microsoft Visual Studio Code (VS Code) extensions are published to the open-source repository to combat supply chain threats. The move marks a shift from a reactive to a proactive approach to ensure that malicious extensions don't end up getting published on the Open VSX Registry.
info@thehackernews.com (The Hacker News)
February 4, 2026
Read More
6 min

Researchers Expose GhostCall and GhostHire: BlueNoroff’s New Malware Chains

Threat actors tied to North Korea have been observed targeting the Web3 and blockchain sectors as part of twin campaigns tracked as GhostCall and GhostHire. According to Kaspersky, the campaigns are part of a broader operation called SnatchCrypto that has been underway since at least 2017. The activity is attributed to a Lazarus Group sub-cluster called BlueNoroff, which is also known as APT38,
info@thehackernews.com (The Hacker News)
October 28, 2025
Read More