Cybersecurity researchers at Veracode discovered a campaign that was aimed at stealing critical credentials from GitHub’s own code base. The attack involved hackers planting a fake software component on npm (Node Package Manager), which is a massive public library that developers use to share JavaScript code.
For your information, an npm package is a folder containing code, documentation, and metadata that developers can easily share and integrate into their projects. These help them build modern applications by reusing existing, tested code components instead of writing everything from scratch.
Cybersecurity firm Veracode’s threat research team flagged the malicious npm package, a GitHub Actions Toolkit named “@acitons/artifact", on Friday, November 7. This name is a clear example of how scammers use a trick called typosquatting to deceive unsuspecting users.
This type of attack involves registering a name that intentionally looks like a typo of a legitimate one (the real package is @actions/artifact), hoping developers will accidentally download the wrong one. The malicious package was surprisingly popular, having been downloaded over 206,000 times.
How the Supply Chain Was Compromised
This type of breach, technically called a Software Supply Chain Failure, has become a major concern, even making it onto the OWASP TOP 10 2025 (RC1) list of top risks, researchers noted in the blog post shared with Hackread.com.
The fake code package was set up to launch a dangerous sequence immediately after installation. It contained a post-install hook (basically a special script) that would download and run malware to steal GitHub tokens.
Think of these tokens as temporary access keys for the code environment. Veracode’s researchers believe the ultimate motivation was to “exfiltrate the tokens available to the build environment, and then use those tokens to publish new malicious artifacts as GitHub.”
Further investigation showed the malware was extremely focused. It was programmed to check whose repository it was in, and specifically targeted repositories owned by the GitHub organisation. A check within the harmful code ensured it would “exit if the organisation was not GitHub,” confirming the attackers were aiming at the core platform.
Package Removal Timeline
It is worth noting that when the researchers first found the malware, even popular anti-virus software did not catch it. The attackers had also included an expiration date, setting the code to stop working after 2025-11-06 UTC. The research also identified and blocked another fake package called “8jfiesaf83“.
By Monday, November 10, the malicious versions of the package were taken down, likely by the attackers themselves or by GitHub. The good news is that Veracode confirmed that customers using their security service, Package Firewall, were protected instantly after the threat was identified on Friday.