🚨 Security Bulletins

Cheet's Threat Intelligence Feed

Last Updated: January 28, 2026

Critical

GitHub Actions Supply Chain Attack (@acitons typosquat)

📅 November 2025 🎯 npm, GitHub Actions ⚡ ACTIVE THREAT

A typosquatting attack targeting GitHub's internal CI/CD pipeline. The attack uses @acitons/artifact (note: "acitons" not "actions") to inject malicious code into build pipelines.

The malware uses time-limited "dead man's switch" execution, context-aware payloads that only activate in specific repos, and exfiltrates secrets via app.github.dev to bypass data loss prevention systems.

Indicators of Compromise

📦 @acitons/*, @actons/* 🌐 *.hopto.org, *.duckdns.org 📤 POST requests to *.app.github.dev

Mitigation Steps

  1. Run the scanner: curl i1.is/scan | sh
  2. Audit package-lock.json for typosquatted packages
  3. Pin GitHub Actions to SHA hashes, not version tags
  4. Restrict outbound network access from CI/CD runners
High

claude-flow npm Package Compromise

📅 January 2026 🎯 AI Tool Users ✅ REMEDIATED

The claude-flow npm package contained remote AI behavior injection capabilities via IPFS, allowing attackers to modify AI assistant behavior without updating the package.

Mitigation Steps

  1. Remove package: npm uninstall claude-flow
  2. Audit AI tool configurations
  3. Check ~/.claude/settings.json for suspicious MCP servers
Medium

GitHub Codespaces C2 Abuse

📅 Ongoing 🎯 Enterprise Networks ⚠️ ONGOING

Threat actors (including Scattered Spider) are using GitHub Codespaces port forwarding as a command-and-control channel. The app.github.dev domain is trusted by most enterprise firewalls, making detection difficult.

Mitigation Steps

  1. Disable public port forwarding in org Codespaces policy
  2. Monitor for unusual traffic patterns to *.app.github.dev
  3. Implement SSL inspection for developer tool domains
🛡️ Run Security Scan 📚 Security Cheat Sheet 🔒 Server Hardening