警惕!恶意npm包潜入CI/CD管道,GitHub Actions令牌面临威胁

近日,安全研究人员披露了一起针对npm生态系统的供应链攻击事件,恶意软件包伪装成合法模块,潜入GitHub Actions构建流程。此次事件再次敲响警钟,提醒开发者和企业对CI/CD(持续集成/持续部署)管道的安全性给予高度重视。 此次攻击的核心在于,攻击者仿冒了**@actions/artifact这一常用的GitHub Actions官方模块,通过精心构造的恶意代码,窃取GitHub Acti ...
InfoWorld

Malicious npm package sneaks into GitHub Actions builds

The typosquatted “@acitons/artifact” package targeted GitHub’s CI/CD workflows, stealing tokens and publishing malicious ...
腾讯网

GitHub 推出 AgentHQ,Copilot 生态再扩容

作者 | Daniel Dominguez译者 | 明知山GitHub 在年度 GitHub Universe 2025 活动上重磅发布一项名为 AgentHQ 的新功能,让开发者可以直接在 GitHub 开发环境内创建并部署 AI 智能体。该功能进一步推进了 GitHub 将 AI 融入软件开发生命周期的战略,是对此前 Copilot 版本的延伸。智能体被设计成可定制、面向特定任务的 AI ..
CSOonline

GitHub Actions attack renders even security-aware orgs vulnerable

Many open-source repositories contain privileged GitHub Actions workflows that execute untrusted code and can be triggered by attackers to expose credentials and access tokens, as MITRE and Splunk ...
The Hacker News

Npm Package Targeting GitHub-Owned Repositories Flagged as Red Team Exercise

Cybersecurity researchers have discovered a malicious npm package named "@acitons/artifact" that typosquats the legitimate " ...
Bleeping Computer

GitHub Action hack likely led to another in cascading supply chain attack

The tj-actions developers cannot pinpoint exactly how the attackers compromised a GitHub personal access token (PAT) used by a bot to perform malicious code changes. Today, Wiz researchers think they ...
Dark Reading

Supply Chain Attacks Spotted in GitHub Actions, Gravity Forms, npm

Researchers discovered malicious activity impacting GitHub and popular WordPress and npm tools that could pose significant supply chain risks. In a new report, Armis Labs highlighted three recently ...
Bleeping Computer

Recent GitHub supply chain attack traced to leaked SpotBugs token

A cascading supply chain attack on GitHub that targeted Coinbase in March has now been traced back to a single token stolen from a SpotBugs workflow, which allowed a threat actor to compromise ...