AsyncAPI npm supply-chain compromise spreads malware through trusted packages

AsyncAPI npm supply-chain compromise spreads malware through trusted packages

Attackers compromised the AsyncAPI npm organization and injected malicious code into multiple widely used packages, including generator and specs packages with more than two million weekly downloads. The malware was delivered through a compromised GitHub Actions workflow and executed at install time, turning a routine dependency update into an infection path. Microsoft and other researchers said the payload could steal browser credentials, SSH keys, npm tokens, AWS secrets, and crypto wallets while also providing RAT-like functionality. The incident is especially serious because package consumers often trust official namespace releases and automatically pull them into build systems and developer machines. This matters for software supply-chain security because the attack bypassed traditional perimeter defenses and leveraged CI/CD trust. It also shows how one compromised automation pipeline can affect enormous numbers of downstream users.

Sources

Leave a Reply

Your email address will not be published. Required fields are marked *


Post Comment