Security researchers have uncovered a malicious npm package, @acitons/artifact, that impersonates the legitimate @actions/artifact module and specifically targets repositories owned by GitHub. The goal: execute inside GitHub Actions, exfiltrate build tokens, and use them to publish new malicious artifacts as if they came from GitHub itself.
Veracode reports that the author behind the package, using the handle blakesdev, uploaded at least six malicious versions – from 4.0.12 to 4.0.17. These builds contained a postinstall hook that, once the package was installed, pulled down and ran additional malware. The currently available version on npm is 4.0.10 without the hook, and the suspect versions have been removed from the registry, but by then the package had already accumulated more than 47,000 downloads.
After installation, the tampered
@acitons/artifactfetched a binary called harness from a separate GitHub account. This turned out to be an obfuscated shell script with a built-in timebomb – it refused to run if the system date was later than November 6, 2025 (UTC). It then launched a JavaScript file,verify.js, which checked for the presence ofGITHUB_environment variables, effectively confirming that the code was running inside a GitHub Actions workflow.
If the check passed, the script collected those variables – including repository access tokens – encrypted them, and exfiltrated them to a text file hosted under the
app.github.devsubdomain. Veracode stresses that the logic is clearly tuned to hit repositories owned by the GitHub organization, as well as a single throwaway user account, making this a highly targeted campaign rather than random npm spray-and-pray.
Researchers also found another npm package with similar behavior, named 8jfiesaf83. It has since been removed from the registry, but not before it was downloaded just over a thousand times.
Software supply-chain attacks have become one of the favorite tactics for threat actors: instead of breaking into a single company, they compromise a dependency the entire ecosystem uses. Typosquatting is a classic move here: register a package whose name is almost identical to a popular one (@acitons/artifact vs. @actions/artifact) and wait for someone to mistype it in their dependencies.
npm, PyPI and other package registries regularly purge malicious uploads, yet the trust chain remains fragile. The @acitons/artifact case shows a new level of ambition: the attackers weren’t just after any CI/CD pipeline, but the infrastructure of GitHub itself, potentially gaining the ability to ship fake builds “from GitHub” and use them as a pivot further down the supply chain.
The @acitons/artifact incident is a reminder that npm install is no longer a trivial command. Development teams should:
double-check package names and publishers before adding them;
pin dependency versions and monitor suspicious updates;
review and scan
postinstall/preinstallhooks and other lifecycle scripts;
restrict GitHub Actions tokens to the minimum required scope and use separate credentials for CI.
Otherwise, a single harmless-looking typo in package.json can turn your build pipeline into an entry point for an attack aimed at GitHub-scale targets.
