Full Report
Cybersecurity researchers have discovered a malicious npm package named "@acitons/artifact" that typosquats the legitimate "@actions/artifact" package with the intent to target GitHub-owned repositories. "We think the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to the build environment, and then use those tokens to publish
Analysis Summary
# Tool/Technique: Malicious npm package "@acitons/artifact"
## Overview
This entry details a malicious npm package, **"@acitons/artifact"**, discovered by cybersecurity researchers. It is a typo-squatting attempt targeting the legitimate package **`@actions/artifact`**. The primary intent was to compromise GitHub-owned repositories during their build process to exfiltrate sensitive tokens and potentially publish malicious artifacts masquerading as legitimate GitHub releases. Another package, **"8jfiesaf83"**, exhibited similar functionality.
## Technical Details
- Type: Malware (Supply Chain Attack via Malicious Package)
- Platform: npm (JavaScript/Node.js ecosystem), targeting Linux environments during GitHub Actions builds.
- Capabilities: Execution via post-install hook, token exfiltration, timed execution restriction, and communication to a designated exfiltration domain.
- First Seen: October 29, 2025 (First upload date of the malicious package).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.002 - T1195.002: Supply Chain Compromise: Compromise Software Supply Chain
- **TA0010 - Exfiltration**
- T1041 - T1041: Exfiltration Over Command and Control Channel
- **TA0002 - Execution**
- T1204.002 - T1204.002: User Execution: Malicious File
## Functionality
### Core Capabilities
- **Typo-squatting:** Impersonating the legitimate `@actions/artifact` package to deceive developers into installing it.
- **Execution via Post-Install Hook:** The malicious logic is embedded in a `postinstall` script within the package, which runs automatically after installation.
- **Token Exfiltration:** Designed to check for and exfiltrate environment variables (specifically `GITHUB_` variables) set within the GitHub Actions build environment.
- **Data Staging:** Collected secrets are encrypted and written to a local text file before exfiltration.
- **Targeted Attack:** Explicitly designed to target repositories owned by the GitHub organization.
### Advanced Features
- **Time-Based Obfuscation/Limitation:** The downloaded secondary payload (a binary, likely an obfuscated shell script named "harness") included a hardcoded check to prevent execution if the current time was after November 6, 2025 UTC.
- **Secondary Payload Dropper:** The postinstall script downloads a secondary binary named "harness" from a removed GitHub account (`github[.]com/jmasdg`).
- **Verification Script:** The "harness" binary executes a JavaScript file named "verify.js" which performs the environmental checks and exfiltration logic.
## Indicators of Compromise
- File Hashes: Not explicitly provided in the context.
- File Names:
- Malicious package name: `@acitons/artifact`
- Secondary payload binary: `harness`
- Exfiltration script: `verify.js`
- Registry Keys: Not applicable (primarily targets build environment variables/file system).
- Network Indicators:
- Exfiltration domain: `app[.]github[.]dev` (subdomain used for C2/exfiltration)
- Behavioral Indicators:
- Installation of npm package `@acitons/artifact`.
- Execution of post-install scripts downloading external binaries.
- Checking for GitHub Actions environment variables (e.g., GITHUB_ACTOR, GITHUB_TOKEN).
- Attempts to write encrypted data to files followed by network connection to `app[.]github[.]dev`.
## Associated Threat Actors
The specific threat actor group is not named, but the package publisher/uploader is identified as **blakesdev**. The attack showed high specificity, indicating a potential actor targeting proprietary GitHub infrastructure or conducting specific espionage.
## Detection Methods
- **Signature-based detection:** Detection rules scanning for package names like `@acitons/artifact` or `8jfiesaf83` in dependency manifests or network traffic.
- **Behavioral detection:** Monitoring build pipelines for unusual file creation (`harness`, `verify.js`) or suspicious outbound network connections originating from the CI/CD runner environment, especially concerning environment variable enumeration.
- **YARA rules:** Could be developed based on known code patterns or strings within the obfuscated "harness" script or "verify.js".
## Mitigation Strategies
- **Dependency Verification:** Implement strict dependency allow-listing and review mechanisms. Always verify the correct spelling and source of critical packages, especially those related to CI/CD tooling (like GitHub Actions).
- **Principle of Least Privilege:** Ensure that GitHub Action runners only have the exact permissions necessary for the build, minimizing the damage if tokens are compromised.
- **Software Composition Analysis (SCA):** Use SCA tools to scan dependencies for typosquatting or known malicious packages before they enter the build environment.
- **Isolate Builds:** Run builds in ephemeral, highly restricted environments to limit the scope of credential exfiltration.
## Related Tools/Techniques
- Supply Chain Attacks leveraging open-source repositories (npm, PyPI, RubyGems).
- Typosquatting as a primary delivery mechanism for malware in development ecosystems.
- The package "8jfiesaf83" which shared similar exfiltration functionality.