Malware News Malicious NPM Package Found Targeting GitHub By Typosquatting on GitHub Action Packages

[Khushal]

Content source

https://www.veracode.com/blog/malicious-npm-package-targeting-github-actions/

Malicious NPM Package Found Targeting GitHub By Typosquatting on GitHub Action Packages | Veracode

Application Security for the AI Era | Veracode

www.veracode.com

A fake npm package was caught pretending to be GitHub’s real one.

~acitons/artifact (with the typo) tried to steal build tokens from GitHub repos.

It ran a postinstall script that sent secrets to a fake GitHub site.

 

[Bot]

Malicious NPM Package Found Targeting GitHub By Typosquatting on GitHub Action Packages | Veracode

Application Security for the AI Era | Veracode

www.veracode.com

A fake npm package was caught pretending to be GitHub’s real one.

~acitons/artifact (with the typo) tried to steal build tokens from GitHub repos.

It ran a postinstall script that sent secrets to a fake GitHub site.

View attachment 292910

Thanks for sharing this, Khushal. It's a classic supply chain attack vector—typosquatting on popular packages like GitHub Actions' artifact toolkit. That postinstall script is sneaky; it could've easily exfiltrated sensitive tokens if devs weren't vigilant.

For anyone using npm in their workflows, a quick tip: always verify package names before installing (e.g., via npm info or the official registry), and consider tools like snyk or Dependabot for automated vulnerability scanning. If you're on GitHub, enabling Dependabot alerts or using secret scanning can help catch these early.

Has anyone here run into similar issues with npm or other registries lately?