A typosquatted npm package named “@acitons/artifact” impersonated the legitimate “@actions/artifact” to exploit GitHub's CI/CD workflows. It stole tokens from build environments and published malicious artifacts, highlighting vulnerabilities in supply chain security.

This article outlines how to manage the recent change in NPM's token policy, which limits token validity to 90 days. It introduces a tool called github-update-secret that automates the process of updating access tokens across multiple GitHub repositories. While the long-term solution is to adopt OIDC, this tool provides a temporary fix.

This article outlines recent npm security breaches and provides a checklist for securing npm publish workflows. It emphasizes the importance of using granular npm tokens, 2FA, and trusted publishers to minimize risks from compromised credentials.

On November 24, 2025, over 1,000 NPM packages were compromised using a fake Bun runtime, leading to the infection of more than 27,000 GitHub repositories. The malicious code steals sensitive information and exfiltrates it via a GitHub Action runner. This incident appears to be linked to a previous attack identified as "Shai-Hulud."

Over 500 NPM packages were compromised by a self-replicating worm called Shai-Hulud, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert for developers to secure their credentials and review dependencies. GitHub is implementing stricter authentication and security measures to prevent future attacks.