A sophisticated **typosquatting attack** targeted GitHub via a malicious npm package **‘@acitons/artifact’** (mimicking the legitimate **‘@actions/artifact’**), accumulating **206,000+ downloads** before removal. The attack exploited developers mistyping dependency names, deploying a **post-install hook** that executed obfuscated malware undetected by antivirus tools (0/60 on VirusTotal at discovery). The malware, compiled via **Shell Script Compiler (shc)**, checked for **GitHub-specific environment variables** (e.g., build tokens) and exfiltrated **authentication tokens** from GitHub Actions workflows. These tokens could enable attackers to **publish malicious artifacts under GitHub’s identity**, risking a **cascading supply chain compromise**. The campaign used **hardcoded expiry dates** (Nov 6–7, 2023) and **AES-encrypted exfiltration** via a GitHub App endpoint, evading detection. The attack directly threatened **GitHub’s CI/CD infrastructure**, with potential downstream risks to **repositories, developers, and enterprise customers** relying on GitHub Actions. While GitHub removed the malicious packages and users, the incident highlights critical vulnerabilities in **dependency trust models** and the escalating threat of **supply chain attacks** (OWASP Top 10 2025).
Source: https://gbhackers.com/malicious-npm-package/
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
"id": "GIT4192541111325",
"linkid": "github",
"type": "Cyber Attack",
"date": "11/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'developers using GitHub Actions '
'(206,000+ package downloads)',
'industry': 'software development/platform',
'location': 'San Francisco, California, USA',
'name': 'GitHub (Microsoft)',
'size': 'large enterprise',
'type': 'technology company'},
{'industry': ['software development', 'DevOps', 'CI/CD'],
'location': 'global',
'name': "Developers using '@acitons/artifact'",
'type': 'individuals/organizations'}],
'attack_vector': ['typosquatting (npm package)',
'post-install hook',
'obfuscated shell script (shc)',
"Node.js package with obfuscated JavaScript ('verify.js')",
'GitHub Actions environment variables'],
'customer_advisories': ['Veracode customers received automated protection via '
'Package Firewall'],
'data_breach': {'data_encryption': ['AES encryption for exfiltrated data'],
'data_exfiltration': True,
'sensitivity_of_data': 'high (build environment credentials)',
'type_of_data_compromised': ['GitHub authentication tokens',
'environment variables']},
'date_detected': '2023-11-07',
'date_publicly_disclosed': '2023-11-07',
'description': 'On November 7th, Veracode Threat Research discovered a '
'typosquatting campaign targeting developers using GitHub '
"Actions. The malicious npm package '@acitons/artifact' "
"(mimicking the legitimate '@actions/artifact') accumulated "
'over 206,000 downloads before removal. The package contained '
'a post-install hook that executed obfuscated malware, '
'designed to exfiltrate GitHub authentication tokens during '
'builds. The attack demonstrated advanced operational '
'security, including self-termination dates and encrypted '
'exfiltration via GitHub App-based endpoints. The campaign '
"targeted GitHub's own repositories and posed a supply chain "
'risk.',
'impact': {'brand_reputation_impact': ['eroded trust in npm/GitHub Actions '
'ecosystem',
'developer caution in package '
'installation'],
'data_compromised': ['GitHub authentication tokens',
'potential downstream repository access'],
'identity_theft_risk': ['if tokens allowed access to personal '
'repositories'],
'operational_impact': ['potential cascading supply chain attacks',
'compromised build environments'],
'systems_affected': ['GitHub Actions CI/CD pipelines',
'developer workstations (via npm install)']},
'initial_access_broker': {'backdoors_established': ['post-install hook with '
'obfuscated malware'],
'entry_point': 'npm package installation '
"('@acitons/artifact')",
'high_value_targets': ['GitHub organization '
'repositories',
'GitHub Actions environment '
'variables']},
'investigation_status': 'resolved (package removed, accounts terminated)',
'lessons_learned': ['Typosquatting remains effective for supply chain attacks '
'despite awareness.',
'Obfuscation techniques (shc, encrypted C2) can evade AV '
'detection (0/XX on VirusTotal).',
'GitHub Actions environment variables are high-value '
'targets for token theft.',
'Short-lived malware (self-termination dates) complicates '
'detection.',
'CI/CD pipelines require stricter dependency verification '
'(e.g., package signing, allowlists).'],
'motivation': ['supply chain compromise',
'authentication token theft',
'impersonation of GitHub for downstream attacks'],
'post_incident_analysis': {'corrective_actions': ['npm removed malicious '
'package and related '
'versions.',
'GitHub terminated '
'associated user accounts.',
'Veracode enhanced '
'detection for obfuscated '
'post-install scripts.',
'Public advisory issued to '
'raise awareness of '
'typosquatting risks in '
'CI/CD.'],
'root_causes': ['Lack of package name validation '
'during npm install.',
'Over-permissive GitHub Actions '
'environment variables.',
'Insufficient scanning of '
'post-install hooks in npm '
'packages.',
'Developer reliance on automated '
'dependency installation without '
'verification.']},
'recommendations': ['Implement package allowlists for CI/CD dependencies.',
'Use tools like Veracode Package Firewall to block '
'malicious packages.',
'Enable GitHub’s dependency review for Actions workflows.',
'Monitor for unusual npm package installations (e.g., '
'typosquatted names).',
'Restrict access to GitHub Actions environment variables '
'(least privilege).',
'Scan build environments for unauthorized network egress '
'(exfiltration).',
'Educate developers on verifying package names during '
'installation.'],
'references': [{'date_accessed': '2023-11-07',
'source': 'Veracode Threat Research'},
{'date_accessed': '2023-11-07', 'source': 'GBHackers (GBH)'},
{'source': 'OWASP Top 10 2025 (Supply Chain Attacks)'}],
'response': {'communication_strategy': ['public disclosure by Veracode',
'media coverage (e.g., GBH)'],
'containment_measures': ['npm package removal '
"('@acitons/artifact')",
'removal of two GitHub user accounts '
'linked to malware',
'blocking 12 versions of related '
"package '8jfiesaf83'"],
'enhanced_monitoring': ['recommended for GitHub Actions '
'environments'],
'incident_response_plan_activated': True,
'remediation_measures': ['Veracode Package Firewall protection '
'for customers',
'advisory for GitHub Actions users to '
'scrutinize dependencies'],
'third_party_assistance': ['Veracode Threat Research']},
'stakeholder_advisories': ['Developers advised to audit GitHub Actions '
"dependencies for '@acitons/artifact'"],
'title': 'Typosquatting Campaign Targeting GitHub Actions via Malicious npm '
"Package '@acitons/artifact'",
'type': ['supply chain attack',
'typosquatting',
'malware',
'data exfiltration'],
'vulnerability_exploited': ['developer mistyped dependency installation',
'lack of package verification in CI/CD pipelines',
'unrestricted access to GitHub Actions '
'environment variables']}