A malicious npm package named “@acitons/artifact” was discovered impersonating the legitimate “@actions/artifact” module, targeting GitHub's CI/CD workflows. This package was uploaded on November 7 and designed to execute during the build process of GitHub-owned repositories. Once triggered, it captured tokens from the build environment, allowing it to publish malicious artifacts under GitHub's name. The attack exploited a common vulnerability known as typosquatting, where attackers use similar package names to trick users into installing harmful code. The malicious package gained over 260,000 downloads before it was detected, and it included six versions, all evading detection by popular antivirus software. GitHub later clarified that these packages were part of a controlled exercise conducted by its Red Team to test security defenses, assuring that its systems remained secure throughout the incident. However, the exploit highlighted a significant risk in CI/CD pipelines, where attackers can take advantage of higher privileges to inject malicious code and impersonate organizations. Experts emphasized the need for organizations to rethink their security measures. The CI/CD pipeline often runs with more privileges than individual developers, making it a prime target for attackers. Recommendations for mitigating these risks include using short-lived, scoped tokens, automated scanning for suspicious packages, and validating package authenticity through checksum verification. Immediate actions for potentially affected teams include searching for the malicious package and associated identifiers, quarantining any impacted runners, and rotating all credentials.