On Friday, November 7th, Veracode Threat Research discovered a dangerous typosquatting campaign targeting developers using GitHub Actions.
The malicious npm package “@acitons/artifact” had accumulated over 206,000 downloads before being removed, posing a significant threat to GitHub-owned repositories and potentially compromising sensitive authentication tokens.
The malicious package mimicked the legitimate “@actions/artifact” npm package, which is part of the official GitHub Actions Toolkit.
The attacker swapped the letters “ti” for “it” in the package name a classic typosquatting technique designed to catch developers who mistype dependency names during installation. This subtle obfuscation proved effective, accumulating hundreds of thousands of downloads from unsuspecting developers.
Sophisticated Post-Install Attack
Veracode researchers identified six malicious versions of the package, each containing a post-install hook that executes during package installation.
The hook downloaded and executed obfuscated malware that evaded detection by popular antivirus products. At the time of discovery, the malicious binary was flagged by zero antivirus vendors on VirusTotal, highlighting the sophisticated nature of the threat.
The attack chain was carefully engineered. The malware consisted of an obfuscated shell script compiled using the Shell Script Compiler (shc) tool.
Upon execution, it re-executed itself from bash after modifying environment variables to activate its payload. This resulted in the extraction and execution of a Node package containing an obfuscated JavaScript file named “verify.js.”
The analysis revealed this was a precision-targeted campaign against GitHub itself. The verify.js script contained checks for GitHub-specific environment variables that are only set during GitHub Actions builds.
The malware included explicit targeting logic, exiting silently unless the repository owner matched specific targets, including the GitHub organization itself.
Most critically, the malware was designed to exfiltrate authentication tokens available within the build environment.
Once obtained, threat actors intended to use these tokens to publish new malicious artifacts impersonating GitHub, potentially compromising downstream users and creating a cascading supply chain attack.
Technical Sophistication and Intentional Expiry
The campaign demonstrated advanced operational security practices. Each malicious binary contained a hardcoded expiry date set to self-terminate after a specific date the primary sample expired on November 6th UTC, with another set to expire the following day.
This suggests deliberate planning and a limited-duration campaign, possibly to avoid prolonged detection.GitHub identified the malware since it seems the two GitHub users have been removed.
Exfiltration occurred through encrypted channels. The malware retrieved an AES encryption key from a remote command-and-control server and transmitted encrypted data to a GitHub App-based endpoint, further obscuring the attacker’s infrastructure.
Veracode notified npm of the malicious package, leading to its removal. Veracode Package Firewall customers received immediate protection on Friday when researchers triaged the threat.
Additionally, Veracode researchers uncovered and blocked 12 versions of another malicious package named “8jfiesaf83” from the same campaign earlier in November.
This incident underscores the growing threat of supply chain attacks, now ranked as the third most critical vulnerability category in the OWASP Top 10 2025.
The attack demonstrates how typosquatting remains an effective vector for compromising CI/CD infrastructure and gaining access to sensitive authentication credentials.
Organizations using GitHub Actions should scrutinize their dependency management practices and implement additional verification layers for package installations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.