Malicious Typosquatted NPM Package

MITRE Techniques

• [T1195] Supply Chain Compromise – Malicious typosquatting npm packages (“@acitons/artifact” and “8jfiesaf83”) were published to the package registry to taint build environments: “typosquatting on the legitimate package @actions/artifact”.
• [T1059.004] Command and Scripting Interpreter: Node.js – A post-install hook downloaded and executed a node package containing an obfuscated “verify.js” which performed environment checks and exfiltration: “verify.js featured checks for certain GITHUB_ variables”.
• [T1204.002] User Execution: Malicious File – The package used an npm postinstall script to fetch and execute a “harness” binary during installation: “postinstall…curl …/harness -o ci_test_harness && chmod +x ci_test_harness && ./ci_test_harness”.
• [T1027] Obfuscated Files or Information – The binary was an obfuscated shell script compiled with a Shell Script Compiler and the node payload included obfuscated verify.js: “The binary was an obfuscated shell script…verify.js featured checks…”.
• [T1560.001] Archive Collected Data: Local Data Staging – The malware prepared environment data for exfiltration (e.g., PUT_FILE_ENC = STAGING_DIR + ‘/env.enc’) before encrypting and sending it: “PUT_FILE_ENC = STAGING_DIR + ‘/env.enc’”.
• [T1041] Exfiltration Over C2 Channel – Encrypted data was sent to attacker-controlled endpoints, using an AES key from a malicious host and exfiltration to a GitHub app.dev URL: “obtained an AES encryption key from …hopto[.]org… and then exfiltrated the encrypted data to …app.github[.]dev/sllkjdsss_user-dasd.txt”.
• [T1490] Inhibit Response Function – Time-based kill switch/expiry logic to prevent execution after certain dates: “There was a mechanism to prevent execution if the time is after 2025-11-06 UTC…tester…set to expire the day after.”