On November 7th, security researchers discovered a dangerous malicious npm package called “@acitons/artifact” that had already been downloaded more than 206,000 times.
The package was designed to look like the legitimate “@actions/artifact” package used by developers building tools with GitHub Actions.
This was a classic typosquatting attack where the attackers swapped the letters to make the name appear correct at first glance.
The malware’s goal was clear and focused. When this package was installed during a build process in GitHub-owned repositories, it would steal authentication tokens available in the build environment.
With these tokens, attackers could then publish new malicious code directly from GitHub’s own account, creating a serious threat to the entire platform’s security.
The attack worked through a hidden installation script embedded in the package. Specifically, six versions of the malicious package included a post-install hook that automatically downloaded and ran hidden malware code.
Veracode security analysts identified that this malware was not detected by common antivirus software when first discovered, making it especially dangerous to organizations relying on those protection tools.
This campaign highlights a critical vulnerability in the software supply chain, which is why it ranked as the third most important security concern in the OWASP Top 10 2025 list.
The attack targeted GitHub’s continuous integration and continuous deployment platform, showing how criminals are increasingly focusing on the tools that developers trust every day.
Veracode security researchers noted that the malware used clever techniques to hide its true behavior and avoid automatic detection.
Malicious code
The malicious code was obfuscated and compiled using special tools that convert shell scripts into binary files, making it harder to analyze.
The package contained a specific mechanism to stop working after a certain date, with each version set to expire within days of release.
This time-based trigger suggests the attackers were testing different versions of their code while staying hidden from security systems.
The infection mechanism worked in stages. When installed, the malware executed as a bash script that reset its own environment variables to change how it ran.
This triggered the loading of an obfuscated file called “verify.js” hidden inside a Node package. The verify.js file contained checks for specific GitHub environment variables that only exist when code runs inside GitHub Actions.
The code specifically targeted only repositories owned by the GitHub organization itself, confirming this was a precision attack.
The malware obtained an encryption key from an external server, encrypted the stolen tokens, and then sent this encrypted data to a command and control server.
Developers using Veracode’s Package Firewall were protected from this threat immediately after the discovery, but the incident demonstrates how vulnerable package managers remain to these sophisticated supply chain attacks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
