Malicious npm Packages Published via Compromised GitHub Actions Workflow
A malicious GitHub Actions workflow exfiltrated an npm token with broad publishing rights from a shared repository, leading to the publication of malicious versions of 20 packages, including the popular @ctrl/tinycolor. While the author's GitHub account and repository weren't directly compromised, a collaborator with admin access to a shared repository allowed the attack to succeed. The attackers exploited a GitHub Actions secret containing the npm token. GitHub and npm security teams swiftly responded, unpublishing the malicious packages. The author released clean versions to clear caches. The incident highlights the risks of shared repositories and static tokens, prompting a move towards npm's Trusted Publishing (OIDC) for enhanced security.
Read more