Cybersecurity researchers have discovered a malicious npm package named “@acitons/artifact” that typosquats the legitimate “@actions/artifact” package with the intent to target GitHub-owned repositories.
“We think the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to the build environment, and then use those tokens to publish new malicious artifacts as GitHub,” Veracode said in an analysis.
The cybersecurity company said it observed six versions of the package – from 4.0.12 to 4.0.17 – that incorporated a post-install hook to download and run malware. That said, the latest version available for download from npm is 4.0.10, indicating that the threat actor behind the package, blakesdev, has removed all the offending versions.
The package was first uploaded on October 29, 2025, and has since accrued 31,398 weekly downloads. In total, it has been downloaded 47,405 times, according to data from npm-stat. Veracode also said it identified another npm package named “8jfiesaf83” with similar functionality. It’s no longer available for download, but it appears to have been downloaded 1,016 times.
Further analysis of one of the malicious versions of the package has revealed that the postinstall script is configured to download a binary named “harness” from a now-removed GitHub account. The binary is an obfuscated shell script that includes a check to prevent execution if the time is after 2025-11-06 UTC.
It’s also designed to run a JavaScript file named “verify.js” that checks for the presence of certain GITHUB_ variables that are set as part of a GitHub Actions workflow, and exfiltrates the collected data in encrypted format to a text file hosted on the “app.github[.]dev” subdomain.
“The malware was only targeting repositories owned by the GitHub organization, making this a targeted attack against GitHub,” Veracode said. “The campaign appears to be targeting GitHub’s own repositories as well as a user y8793hfiuashfjksdhfjsk which exists but has no public activity. This user account could be for testing.”
