Researchers identified a malicious npm package named "@acitons/artifact," which is a typosquatting variant of the legitimate "@actions/artifact" package used in GitHub Actions workflows. The attacker uploaded multiple versions (4.0.12 to 4.0.17) of this package containing a post-install hook that downloads and runs a malware binary named "harness." This binary is an obfuscated shell script that checks the current date to avoid execution after November 6, 2025, and runs a JavaScript file "verify.js" to detect GitHub Actions environment variables (GITHUB_*). Upon detection, it exfiltrates these tokens in encrypted form to a text file hosted on a suspicious "app.github[.]dev" subdomain. The tokens stolen from the build environment could allow the attacker to publish malicious artifacts or perform unauthorized actions within targeted GitHub repositories. The attack was highly targeted, focusing only on repositories owned by the GitHub organization and a specific user account with no public activity, possibly for testing. Another malicious package, "8jfiesaf83," with similar behavior was also found but has been removed. The malicious versions have been removed from npm, and the latest available version is 4.0.10, which is clean. The package had significant download counts, indicating potential exposure. This attack exemplifies a sophisticated supply chain compromise leveraging typosquatting in the npm ecosystem to infiltrate CI/CD pipelines and exfiltrate sensitive credentials.

For European organizations, especially those relying on GitHub Actions for CI/CD workflows and using npm packages, this threat underscores the risk of supply chain attacks via typosquatted packages. Although the attack targeted GitHub-owned repositories specifically, the techniques used could be adapted to target other organizations or open-source projects. If exploited in European companies' build environments, attackers could exfiltrate sensitive tokens, leading to unauthorized code deployments, insertion of malicious code, or compromise of internal development pipelines. This could result in intellectual property theft, reputational damage, and potential regulatory non-compliance under GDPR if sensitive data is leaked. The attack also highlights the risk of dependency confusion and the need for strict package source validation. Given the widespread use of npm and GitHub in Europe, the potential impact includes disruption of software supply chains and erosion of trust in open-source components.

European organizations should implement strict package management policies including: 1) Enforce use of verified and trusted npm packages by enabling npm's package integrity checks and using package signing where possible. 2) Employ dependency scanning tools that detect typosquatting and suspicious packages before inclusion in build pipelines. 3) Restrict GitHub Actions tokens to least privilege scopes and rotate them regularly to limit exposure if compromised. 4) Use allowlists for npm packages in CI/CD workflows to prevent installation of unapproved packages. 5) Monitor network traffic from build environments for unusual outbound connections, especially to suspicious domains like "app.github.dev." 6) Implement runtime detection for anomalous post-install scripts or unexpected binary downloads during builds. 7) Educate developers and DevOps teams about supply chain risks and typosquatting attacks. 8) Consider using private package registries or mirrors to control dependencies. 9) Audit existing workflows for use of the affected package and remove or update them promptly. 10) Collaborate with GitHub security advisories and npm security teams to stay informed about emerging threats.