Cybersecurity researchers have discovered a malicious npm package named « @acitons/artifact » that typosquats the legitimate « @actions/artifact » package with the intent to target GitHub-owned repositories.
« We think the intent was to have this script execute during a build of a GitHub-owned repository, exfiltrate the tokens available to the build environment, and then use those tokens to publish
