Cybersecurity researchers have discovered a malicious npm
package named "@acitons/artifact" that typosquats the legitimate
"@actions/artifact" package with the intent to target GitHub-owned
repositories. "We think the intent was to have this script execute
during a build of a GitHub-owned repository, exfiltrate the tokens
available to the build environment, and then use those tokens to
publish
Read more https://thehackernews.com/2025/11/researchers-detect-malicious-npm.html
