AsyncAPI npm supply-chain compromise spreads malware through trusted packages
Attackers compromised the AsyncAPI npm organization and injected malicious code into multiple widely used packages, including generator and specs packages with more than two million weekly downloads. The malware was delivered through a compromised GitHub Actions workflow and executed at install time, turning a routine dependency update into an infection path. Microsoft and other researchers said the payload could steal browser credentials, SSH keys, npm tokens, AWS secrets, and crypto wallets while also providing RAT-like functionality. The incident is especially serious because package consumers often trust official namespace releases and automatically pull them into build systems and developer machines. This matters for software supply-chain security because the attack bypassed traditional perimeter defenses and leveraged CI/CD trust. It also shows how one compromised automation pipeline can affect enormous numbers of downstream users.
Sources
- AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads — Security Affairs
- Unpacking the AsyncAPI npm supply chain compromise and import-time payload delivery — Microsoft Security Blog
- AsyncAPI npm packages infected with credential-stealing malware — Lifeboat — Cybercrime & Malcode
- @asyncapi/specs (2.7M weekly downloads) got compromised today via a malicious CI commit — /r/cybersecurity


Leave a Reply