Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Malicious npm package @acitons/artifact token-theft activity

Malware Activity
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

The @acitons/artifact npm package is a malicious typosquat that used a post-install hook to download and run malware, putting GitHub Actions build tokens at risk. It was aimed at GitHub-owned repositories and was built to collect workflow secrets during installation. Researchers also identified a second package, 8jfiesaf83, with similar functionality.

Related Happenings

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Open Happening

Laravel Lang organization hit by network compromise

Incident
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...

Open Happening

Packagist package.json hook supply chain attack campaign

Campaign
First: 23.05.2026 19:07 Last: 23.05.2026 19:07 Sources 1

About this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...

Open Happening

GitHub hit by network compromise

Incident
First: 20.05.2026 07:01 Last: 20.05.2026 07:01 Sources 1

About this happening: GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...

Latest development: 20.05.2026 13:45

GitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.

Open Happening

Actions-cool/issues-helper hit by network compromise

Incident
First: 19.05.2026 08:28 Last: 19.05.2026 08:28 Sources 1

About this happening: The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....

Open Happening

Timeline

  1. 11.11.2025 13:55 1 articles · 6mo ago

    @acitons/artifact first appears on npm

    Untyped Phase

    The malicious npm package @acitons/artifact was first uploaded to npm on October 29, 2025. It typosquatted @actions/artifact and was positioned to target GitHub-owned repositories through build-time package execution.

    Show sources
    Open in new tab
  2. 11.11.2025 13:55 2 articles · 6mo ago

    Veracode analyzes malicious npm versions targeting GitHub

    Technical Analysis Update

    Veracode identified @acitons/artifact as a malicious npm typosquat of @actions/artifact aimed at GitHub-owned repositories. The analysis said six versions from 4.0.12 to 4.0.17 used a post-install hook to download and run malware, another package named 8jfiesaf83 had similar functionality, and the payload checked GITHUB_ variables before exfiltrating data to app.github[.]dev.

    Show sources
    Open in new tab