Find notable cyber news and cases, enriched with sources, timelines, and signals.

Malicious npm package @acitons/artifact token-theft activity

Malware Activity
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

The @acitons/artifact npm package is a malicious typosquat that used a post-install hook to download and run malware, putting GitHub Actions build tokens at risk. It was aimed at GitHub-owned repositories and was built to collect workflow secrets during installation. Researchers also identified a second package, 8jfiesaf83, with similar functionality.

Related Happenings

GitHub Agentic Workflows indirect prompt injection security flaw

Vulnerability
H score27 First: 07.07.2026 17:04 Last: 07.07.2026 17:04 Sources 1

About this happening: **GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...

GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows

Security Tool/Service
H score11 First: 23.06.2026 17:22 Last: 23.06.2026 17:22 Sources 1

About this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
H score3 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...

GitHub npm v12 hardens install-time dependency execution and source resolution

Security Tool/Service
H score11 First: 10.06.2026 22:41 Last: 10.06.2026 22:41 Sources 1

About this happening: **GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...

Anthropic Claude Code GitHub Action bypass fix (v1.0.94)

Security Patch Release
H score43 First: 04.06.2026 18:15 Last: 04.06.2026 18:15 Sources 1

About this happening: Anthropic shipped **claude-code-action v1.0.94** to close a **trigger-check bypass** in **Claude Code GitHub Action**, reducing takeover risk for **public repositories** that run...

Timeline

  1. 11.11.2025 13:55 1 articles · 8mo ago

    @acitons/artifact first appears on npm

    Untyped Phase

    The malicious npm package @acitons/artifact was first uploaded to npm on October 29, 2025. It typosquatted @actions/artifact and was positioned to target GitHub-owned repositories through build-time package execution.

    Show sources
  2. 11.11.2025 13:55 2 articles · 8mo ago

    Veracode analyzes malicious npm versions targeting GitHub

    Technical Analysis Update

    Veracode identified @acitons/artifact as a malicious npm typosquat of @actions/artifact aimed at GitHub-owned repositories. The analysis said six versions from 4.0.12 to 4.0.17 used a post-install hook to download and run malware, another package named 8jfiesaf83 had similar functionality, and the payload checked GITHUB_ variables before exfiltrating data to app.github[.]dev.

    Show sources