"A malicious npm package named "@acitons/artifact" was found impersonating the legitimate "@actions/artifact" module, directly targeting the CI/CD pipelines within GitHub Actions workflows. According to Veracode findings, the package was uploaded on November 7 and was designed to trigger during the build process of GitHub-owned repositories. Once executed inside a CI/CD runner, the payload captures any tokens available to that build environment and then uses those credentials to publish malicious artifacts-effectively impersonating GitHub itself."
""This incident isn't just about a malicious npm package, it is about the blind trust many organizations place in the modern supply chain," said Randolph Barr, CISO at Cequence Security. "Most organizations focus their controls on runtime environments, yet the CI/CD pipeline often runs with higher privilege than any developer. A single typosquatted dependency can silently execute code during a build, access repository tokens, and impersonate an organization, just as this attack attempted to do with GitHub's own repositories.""
An npm package named '@acitons/artifact' impersonated the official '@actions/artifact' and targeted GitHub Actions CI/CD pipelines. The package was uploaded on November 7 and activated during the build processes of GitHub-owned repositories. When executed inside a CI/CD runner, the payload captured any tokens available in the build environment and used those credentials to publish malicious artifacts, impersonating GitHub. The incident exposes blind trust in the software supply chain and the elevated privileges of CI/CD pipelines, showing that a single typosquatted dependency can silently run code during builds, access tokens, and impersonate an organization.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]