GitHub: Typosquatted npm packages targeting credentials only an internal exercise

HackRead reports that GitHub has explained that its internal red team was behind the typosquatted npm packages believed by Veracode Threat Research to have been targeting GitHub code base credentials.

The illicit GitHub Actions Toolkit named "@acitons/artifact", which was discovered by Veracode researchers to have amassed over 206,000 downloads and evaded anti-virus software detection, was merely a part of a red team exercise, according to GitHub.

"GitHub takes security seriously and regularly tests its security posture through rigorous, realistic Red Team exercises to ensure resilience against current threat actor techniques. At no point were GitHub systems or data at risk," said a GitHub spokesperson.

Such a development comes after Software Supply Chain Failure, which the breach was initially considered as, was noted by Open Worldwide Application Security Project to be among the 10 leading threats faced by web applications.