A malicious npm package named “@acitons/artifact” was found impersonating the legitimate “@actions/artifact” module, directly targeting the CI/CD pipelines within GitHub Actions workflows.
According to Veracode findings, the package was uploaded on November 7 and was designed to trigger during the build process of GitHub-owned repositories. Once executed inside a CI/CD runner, the payload captures any tokens available to that build environment and then uses those credentials to publish malicious artifacts–effectively impersonating GitHub itself.
“This incident isn’t just about a malicious npm package, it is about the blind trust many organizations place in the modern supply chain,” said Randolph Barr, CISO at Cequence Security. “Most organizations focus their controls on runtime environments, yet the CI/CD pipeline often runs with higher privilege than any developer. A single typosquatted dependency can silently execute code during a build, access repository tokens, and impersonate an organization, just as this attack attempted to do with GitHub’s own repositories.“
The malicious package picked up over 260k downloads before detection, and a total of six versions were uploaded–none detectable by “any popular anti-virus” products, Veracode researchers noted in a blog post.
GitHub says that the packages were uploaded internally as part of its red teaming efforts. “The packages referenced in Veracode’s blog were part of a tightly controlled exercise conducted by GitHub’s Red Team,” a GitHub spokesperson told CSO. “GitHub takes security seriously and regularly tests its security posture through rigorous, realistic Red Team exercises to ensure resilience against current threat actor techniques. At no point were GitHub systems or data at risk.”
Hijacking the GitHub Actions build process
On the surface, @acitons/artifact package looked normal with its metadata describing it as “actions artifact lib,” and its homepage and repository URLs closely mirroring those of the legitimate GitHub project. But embedded inside was a post-install hook that downloaded and executed an obfuscated shell script named “harness.”
Veracode’s analysis showed that this script, compiled with a shell-script compiler tool, contained a time-based kill switch set to deactivate after November 6, 2025–likely to evade detection after a brief active window. Once invoked, the harness would fetch a JavaScript file (“verify.js” meant to check whether the build environment belonged to GitHub and, if so, exfiltrate GitHub Action tokens. These tokens could then be misused to impersonate GitHub and publish malicious releases.
“Typosquatting is a well-known and growing threat vector in software supply chains whereby attackers publish packages with similar names as legitimate ones and then wait for a mistake to happen, bringing the victim to their repository to install malicious code by mistake,” explained Boris Cipot, Senior Security Engineer at Black Duck. “This attack strategy is designed to exploit typos and to leverage the automated nature of CI/CD pipelines.”
Cipot added that the use of a post-install hook and a short-lived obfuscated payload shows a deliberate attempt to blend in with normal build activity.
Lessons in defense
Barr pointed out that higher privileges in CI/CD pipelines make them an ideal target. Attackers who compromise a build runner can inject code at the source, sign releases with legitimate credentials, or push authentic-looking artifacts.
Mitigations, Cipot recommended, would include short-lived, scoped tokens with regular secret rotations. Automated scanning for suspicious packages using tools like Socket.dev or Phylum might also help stay ahead of the threat. Other ways to verify package authenticity include checksum validation and emerging standards like Sigstore, he added.
Jason Soroko, senior fellow at Sectigo, advises an immediate response for teams potentially affected. “Search source code, lockfiles, caches, and registries for @acitons and 8jfiesaf83 then quarantine any runners that fetched them,” he said. “Rotate all tokens and review artifacts and package publish history for the period from October 29 to November 6, 2025.”