Ethical Hacking News
A recent discovery by cybersecurity researchers has exposed a malicious npm package designed to target GitHub-owned repositories. The package, which masqueraded as a legitimate dependency, utilized typosquating and post-install hooks to embed malware in the platform's build process. This targeted attack highlights the ongoing threat of software supply chain attacks and underscores the need for greater awareness among developers about the potential risks associated with using npm packages.
The malicious npm package "artifact" was discovered to masquerade as the legitimate "@actions/artifact" package using typosquating. The attacker, identified as "blakesdev," uploaded the package to npm on October 29, 2025, with over 31,398 weekly downloads and 47,405 total downloads. Veracode found that six versions of the package contained a post-install hook that downloaded and ran malware, with the latest version modified by the attacker to remove the malicious code. The package was designed not only to target GitHub-owned repositories but also user-created accounts, posing a sophisticated targeted attack against GitHub's systems and users.
A recent discovery by cybersecurity researchers has shed light on a malicious npm package that was designed to target GitHub-owned repositories. The package, dubbed "@acitons/artifact," utilized a technique known as typosquating to masquerade as the legitimate "@actions/artifact" package. This allowed the attacker to execute a script during the build process of a GitHub-owned repository, thereby exfiltrating sensitive tokens and potentially publishing malicious artifacts on the platform.
The malicious package was discovered by Veracode, a cybersecurity company that specializes in identifying and mitigating software vulnerabilities. According to Veracode, the attacker behind the package, identified as "blakesdev," had uploaded the package to npm on October 29, 2025. The package quickly gained popularity, with over 31,398 weekly downloads and a total of 47,405 downloads since its initial upload.
However, it was not until Veracode began analyzing the package that they discovered the malicious code embedded within. Specifically, they found that six versions of the package, ranging from 4.0.12 to 4.0.17, contained a post-install hook that downloaded and ran malware. The latest version available for download on npm, 4.0.10, had been modified by the attacker to remove the malicious code.
But what was even more concerning was the fact that the package had been designed to target not just GitHub-owned repositories but also user-created accounts. Veracode observed that one of the malicious versions of the package contained a script that downloaded a binary named "harness" from a now-removed GitHub account. This binary, which was obfuscated and included a check to prevent execution if the time was after November 6, 2025, appeared to be designed to run a JavaScript file named "verify.js" that checked for the presence of certain GITHUB_ variables set as part of a GitHub Actions workflow.
The script then exfiltrated the collected data in encrypted format to a text file hosted on the "app.github[.]dev" subdomain. Veracode noted that this was not just a trivial attack but rather a sophisticated targeted attack against GitHub's own systems and user accounts.
In response to the discovery, a spokesperson from GitHub stated that the malicious package was part of a "tightly controlled exercise" conducted by the company's Red Team. According to the spokesperson, the identified packages were designed to test GitHub's security posture against current threat actor techniques, with no impact on actual systems or data.
While it is reassuring to know that the attack was not successful in compromising actual systems, the incident highlights the importance of regularly monitoring and testing software dependencies for vulnerabilities. It also underscores the need for greater awareness among developers about the potential risks associated with using npm packages.
In recent years, there have been numerous instances of malware-laced npm packages being discovered, highlighting the ongoing threat of software supply chain attacks. The discovery of this malicious package serves as a reminder that even seemingly innocuous dependencies can pose significant security risks if not properly vetted.
Furthermore, the use of typosquating and post-install hooks to embed malware in npm packages underscores the creativity and sophistication of modern attack vectors. As cybersecurity researchers continue to uncover new and innovative methods used by attackers, it is essential for developers and organizations to stay vigilant and take proactive steps to protect themselves against these types of threats.
In light of this incident, Veracode has recommended that developers and organizations regularly review their npm dependencies and update them as necessary to prevent similar attacks in the future. Additionally, companies should consider implementing automated tools and processes to monitor their software dependencies for vulnerabilities and conduct regular security audits to identify potential risks.
Overall, the discovery of the malicious npm package serves as a timely reminder of the importance of cybersecurity awareness and responsible software development practices. By staying informed and proactive, developers and organizations can reduce their risk exposure and help create a safer and more secure digital landscape.
Related Information:
https://www.ethicalhackingnews.com/articles/Npm-Package-Malware-A-Targeted-Attack-on-GitHub-Owned-Repositories-Exposed-ehn.shtml
https://thehackernews.com/2025/11/researchers-detect-malicious-npm.html
https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html
https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem
Published: Wed Nov 12 03:15:31 2025 by llama3.2 3B Q4_K_M
