Malicious npm package @acitons/artifact token-theft activity
Malware Activity
Summary
Hide ▲
Show ▼
The @acitons/artifact npm package is a malicious typosquat that used a post-install hook to download and run malware, putting GitHub Actions build tokens at risk. It was aimed at GitHub-owned repositories and was built to collect workflow secrets during installation. Researchers also identified a second package, 8jfiesaf83, with similar functionality.
Related Happenings
GitHub Agentic Workflows indirect prompt injection security flaw
Vulnerability
H score27
First: 07.07.2026 17:04
Last: 07.07.2026 17:04
Sources 1
About this happening:
**GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...
GitHub Agentic Workflows indirect prompt injection security flaw
VulnerabilityAbout this happening: **GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/Service
H score11
First: 23.06.2026 17:22
Last: 23.06.2026 17:22
Sources 1
About this happening:
GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/ServiceAbout this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware Activity
H score3
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware ActivityAbout this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
GitHub npm v12 hardens install-time dependency execution and source resolution
Security Tool/Service
H score11
First: 10.06.2026 22:41
Last: 10.06.2026 22:41
Sources 1
About this happening:
**GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...
GitHub npm v12 hardens install-time dependency execution and source resolution
Security Tool/ServiceAbout this happening: **GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...
Anthropic Claude Code GitHub Action bypass fix (v1.0.94)
Security Patch Release
H score43
First: 04.06.2026 18:15
Last: 04.06.2026 18:15
Sources 1
About this happening:
Anthropic shipped **claude-code-action v1.0.94** to close a **trigger-check bypass** in **Claude Code GitHub Action**, reducing takeover risk for **public repositories** that run...
Anthropic Claude Code GitHub Action bypass fix (v1.0.94)
Security Patch ReleaseAbout this happening: Anthropic shipped **claude-code-action v1.0.94** to close a **trigger-check bypass** in **Claude Code GitHub Action**, reducing takeover risk for **public repositories** that run...
Timeline
-
11.11.2025 13:55 1 articles · 8mo ago
@acitons/artifact first appears on npm
Untyped PhaseThe malicious npm package @acitons/artifact was first uploaded to npm on October 29, 2025. It typosquatted @actions/artifact and was positioned to target GitHub-owned repositories through build-time package execution.
Show sources
- Researchers Detect Malicious npm Package Targeting GitHub-Owned Repositories — thehackernews.com — 11.11.2025 13:55
-
11.11.2025 13:55 2 articles · 8mo ago
Veracode analyzes malicious npm versions targeting GitHub
Technical Analysis UpdateVeracode identified @acitons/artifact as a malicious npm typosquat of @actions/artifact aimed at GitHub-owned repositories. The analysis said six versions from 4.0.12 to 4.0.17 used a post-install hook to download and run malware, another package named 8jfiesaf83 had similar functionality, and the payload checked GITHUB_ variables before exfiltrating data to app.github[.]dev.
Show sources
- Researchers Detect Malicious npm Package Targeting GitHub-Owned Repositories — thehackernews.com — 11.11.2025 13:55
- Researchers Detect Malicious npm Package Targeting GitHub-Owned Repositories — thehackernews.com — 11.11.2025 13:55