Malicious npm Package Targets GitHub Actions CI/CD Workflows
A malicious npm package named @acitons/artifact was discovered impersonating the legitimate @actions/artifact module, specifically targeting GitHub Actions CI/CD pipelines. The package was designed to be triggered during the build process of GitHub-owned repositories, where it would capture available tokens from the build environment and use them to publish malicious artifacts under GitHub’s name. The attack leveraged a post-install hook to download and execute an obfuscated shell script called harness, which was not detected by popular antivirus solutions. The package was downloaded over 260,000 times before being detected, with six malicious versions uploaded to npm.
Further analysis revealed that the malware was configured to only execute if certain GitHub-specific environment variables were present, indicating a targeted attack against GitHub’s own repositories. The script exfiltrated sensitive data in encrypted form to a remote server and was designed to avoid execution after a specific date. Another related npm package, 8jfiesaf83, was also identified with similar functionality but has since been removed. The threat actor behind the campaign, identified as "blakesdev," removed the offending versions after discovery, but the incident highlights the risks of supply chain attacks in CI/CD environments and the potential for privilege escalation through typosquatted dependencies.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
GitHub says the typosquatted packages were an internal exercise
GitHub stated that the typosquatted npm packages targeting credentials were only part of an internal exercise. This response reframed the incident from an apparent external supply-chain attack to a controlled internal test.
Researchers detect typosquatted npm package targeting GitHub repositories
Security researchers publicly reported that the typosquatted package had been used to target GitHub-owned repositories through GitHub Actions builds. Reports said the package had been downloaded more than 47,000 times and was designed to steal build-environment tokens and publish malicious artifacts while impersonating GitHub.
Veracode blocks the malicious npm package for customers
Veracode said its Package Firewall customers were protected from downloading the typosquatted package after researchers triaged it. This defensive action was in place by Nov. 7, 2025.
Malicious package activity ceases after time-based kill switch
Researchers reported the package included a time-based kill switch and stopped operating after Nov. 6, 2025, indicating the campaign was intentionally bounded. This marked the end of the package's active malicious behavior window.
Malicious typosquatted npm package campaign begins
A malicious npm package, "@acitons/artifact," was set up to impersonate the legitimate "@actions/artifact" package and target GitHub Actions build environments. The malware checked for GitHub-related environment variables and attempted to exfiltrate build tokens for follow-on abuse.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Malicious npm package uses typosquatting to infect legitimate GitHub repo
scworld.com
Open sourceMalicious npm package sneaks into GitHub Actions builds
csoonline.com
Open sourceGitHub: Typosquatted npm packages targeting credentials only an internal exercise
scworld.com
Open sourceResearchers Detect Malicious npm Package Targeting GitHub-Owned Repositories
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious NPM Packages Targeting the JavaScript Supply Chain
A large-scale attack on the NPM (Node Package Manager) ecosystem has been uncovered, involving the publication of over 64,000 malicious packages by a coordinated group known as the IndonesianFoods worm. This campaign, active for more than two years, leveraged at least seven newly created NPM user accounts to distribute the malicious packages, which are notable for their consistent naming patterns and unusual internal dictionary. The attackers focused on creating new packages rather than stealing credentials, and the scale of the operation more than doubles the previously known number of malicious NPM packages. Security researchers have made available a comprehensive list of the affected packages and user accounts for further analysis. In a separate but related incident, researchers identified a highly popular fake NPM package, "@acitons/artifact," which was downloaded over 206,000 times. This package used a typosquatting technique to mimic the legitimate GitHub Actions Toolkit and was designed to steal GitHub credentials by executing a malicious post-install script. The attack highlights the growing threat of software supply chain compromises, with the malicious package aiming to exfiltrate tokens from build environments and potentially publish further malicious artifacts. Both incidents underscore the increasing sophistication and scale of supply chain attacks targeting the JavaScript development community.
Mar 21, 2026
npm Supply-Chain Attacks Steal Developer Tokens and Enable Cloud Compromise
Threat actors are using **malicious npm packages** to steal developer credentials and CI/CD secrets, enabling rapid escalation into cloud environments. Google reported that **UNC6426** leveraged keys stolen during the earlier compromise of the *nx* npm ecosystem to pivot from a stolen developer GitHub token into **AWS administrative access within 72 hours**, abusing **GitHub-to-AWS OpenID Connect (OIDC) trust** to create a new admin role. The actor then used that access to **exfiltrate data from AWS S3** and conduct **destructive actions** in production cloud environments; the initial *nx* compromise involved a GitHub Actions `pull_request_target` workflow abuse (“**Pwn Request**”) that enabled publishing trojanized packages containing a `postinstall` chain that executed the **QUIETVAULT** JavaScript credential stealer and uploaded stolen data to a public GitHub repo (`/s1ngularity-repository-1`). Separately, researchers reported new waves of the **PhantomRaven** npm supply-chain campaign distributing **88 additional malicious packages** (via ~50 disposable accounts) that target JavaScript developers by exfiltrating secrets from files like `.gitconfig` and `.npmrc`, environment variables, and CI/CD tokens (e.g., GitHub/GitLab/Jenkins/CircleCI). The campaign uses **slopsquatting** (LLM-suggested lookalike package names) and a stealth technique called **Remote Dynamic Dependencies (RDD)**, where `package.json` pulls a dependency from an external URL so the malicious payload is fetched at install time (`npm install`) and can evade static package inspection; researchers indicated many of these packages remained available in the npm registry at the time of reporting.
Mar 21, 2026
Compromised GitHub Actions tags exfiltrated CI/CD secrets from runners
Threat actors compromised the popular GitHub Actions repositories `actions-cool/issues-helper` and `actions-cool/maintain-one-comment` by moving version tags to imposter commits outside the normal commit history, causing workflows that referenced those tags to fetch and run malicious code. Researchers said the payload downloaded the **Bun** JavaScript runtime, read memory from the GitHub Actions `Runner.Worker` process to recover decrypted secrets, and exfiltrated the data over HTTPS to the attacker-controlled domain `t.m-kosche[.]com`; workflows pinned to a known-good full commit SHA were not affected. GitHub later disabled access to the repository for a terms-of-service violation, while StepSecurity added the action to its Compromised Actions Policy and blocked the exfiltration domain through Harden-Runner. The incident highlights a broader GitHub Actions supply-chain risk in which CI/CD trust can be subverted through mutable references and weak integrity controls. Separate research showed that a modified Maven wrapper in a pull request could achieve code execution on GitHub-hosted runners and, if merged, later expose release secrets such as Maven publishing credentials and GPG material, underscoring the need for checksum validation on wrapper scripts and immutable pinning to trusted commit SHAs for third-party actions. StepSecurity also linked the same exfiltration infrastructure to the recent **Mini Shai-Hulud** activity targeting npm packages in the `@antv` ecosystem, suggesting the GitHub Actions compromise may be part of a wider supply-chain campaign.
May 19, 2026