Npm Package Targeting GitHub-Owned Repositories Flagged as Red Team Exercise
13.11.2025
17873
Veracode exposes npm package "@acitons/artifact" stealing GitHub tokens via build scripts.
Npm Package Targeting GitHub-Owned Repositories Flagged as Red Team Exercise
🚨 Veracode just exposed a malicious npm package "@acitons/artifact" that's straight-up stealing GitHub tokens through build scripts. This ain't your average supply chain attack—it's specifically targeting GitHub-owned repositories and has been flagged as a red team exercise.
The package masquerades as a legitimate GitHub Actions artifact tool but executes malicious code during installation to exfiltrate sensitive tokens and credentials. Security researchers are calling this one of the most sophisticated npm supply chain attacks they've seen this year.
- • Package name: @acitons/artifact (note the intentional typo)
- • Attack vector: Build script execution during npm install
- • Target: GitHub-owned repositories and their tokens
- • Detection: Veracode threat intelligence team
- • Status: Flagged as red team exercise activity
This is exactly why you need to audit your dependencies regularly. The package was cleverly designed to blend in with legitimate GitHub tooling, making it harder to spot during routine security scans.
Veracode exposes npm package "@acitons/artifact" stealing GitHub tokens via build scripts.
The discovery highlights the growing sophistication of software supply chain attacks and the critical need for robust dependency management practices. If you're using npm in your workflow, double-check your package.json and lock files ASAP.
#npm packages#supply chain attacks#malware#credentials leakage#credentials
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
