Ethical Hacking News
Malicious npm package exploits vulnerabilities in GitHub-owned repositories, exfiltrating sensitive data and publishing malicious artifacts. Researchers warn of the ongoing threat landscape and call for increased vigilance and proactive security measures.
The malicious npm package " @acitons/artifact" targets GitHub-owned repositories. The package was designed to typosquat the legitimate "@actions/artifact" package and execute during a build, exfiltrating tokens and publishing new malicious artifacts. 31,398 weekly downloads and 47,405 total downloads indicate the package's popularity despite being removed from npm. The campaign appears to target GitHub repositories and a user account for testing purposes. The malicious package included an obfuscated shell script that exfiltrated data to a text file hosted on "app.github.dev".
A recent discovery by cybersecurity researchers has brought to light a sophisticated malware campaign that leverages a malicious npm package to target GitHub-owned repositories. The malicious package, named "@acitons/artifact," was designed to typosquat the legitimate "@actions/artifact" package and execute during a build of a GitHub-owned repository, exfiltrating tokens available to the build environment, and then using those tokens to publish new malicious artifacts as GitHub.
According to Veracode, a cybersecurity company that conducted an analysis of the malicious npm package, six versions of the package were found to incorporate a post-install hook to download and run malware. The latest version available for download from npm is 4.0.10, indicating that the threat actor behind the package, blakesdev, has removed all the offending versions. However, this has not stopped the malicious campaign, as the researchers observed that the package had accrued 31,398 weekly downloads and had been downloaded a total of 47,405 times.
The malicious npm package was first uploaded on October 29, 2025, and its presence on the npm repository raised serious concerns about the security of GitHub-owned repositories. Veracode noted that the campaign appears to be targeting GitHub's own repositories as well as a user account with no public activity, suggesting that the threat actor may have created this user account for testing purposes.
Further analysis revealed that one of the malicious versions of the package included a post-install script configured to download a binary named "harness" from a now-removed GitHub account. The binary is an obfuscated shell script that includes a check to prevent execution if the time is after November 6, 2025 UTC. Additionally, the script runs a JavaScript file named "verify.js" that checks for the presence of certain GITHUB variables set as part of a GitHub Actions workflow and exfiltrates the collected data in encrypted format to a text file hosted on the "app.github.dev" subdomain.
The malicious npm package is a prime example of how attackers can exploit vulnerabilities in open-source software to carry out sophisticated attacks. The fact that the package was able to evade detection for several weeks highlights the importance of continuous monitoring and security testing in the software development lifecycle.
In conclusion, the recent discovery of the malicious npm package targeting GitHub-owned repositories serves as a reminder of the ongoing threat landscape in the world of cybersecurity. As attackers continue to evolve their tactics and exploit vulnerabilities in open-source software, it is essential for developers and organizations to remain vigilant and take proactive measures to protect themselves against these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Malware-Campaign-Targets-GitHub-Owned-Repositories-via-npm-Package-ehn.shtml
https://thehackernews.com/2025/11/researchers-detect-malicious-npm.html
https://www.veracode.com/blog/malicious-npm-package-targeting-github-actions/
Published: Tue Nov 11 06:29:13 2025 by llama3.2 3B Q4_K_M
