Cybersecurity researchers have identified a malicious npm package called ‘@acitons/artifact’, which is designed to impersonate the legitimate ‘@actions/artifact’ package. This malicious package aims to target GitHub-owned repositories, exploiting developers’ trust in the official package.
The objective appears to be executing a script during the build process of these repositories, allowing it to exfiltrate sensitive tokens available in the build environment. Once these tokens are obtained, the attacker could misuse them to publish unauthorized changes or potentially compromise the repositories themselves. This incident underscores the importance of vigilance when using third-party packages in software development.
👉 Pročitaj original: The Hacker News
