AsyncAPI malicious npm package supply-chain malware
Malware Activity
Updated: 15.07.2026 18:37
· First: 15.07.2026 18:37
· 📰 1 src / 1 articles
· H score: 21
Malicious AsyncAPI npm releases pushed a remote access trojan and info-stealing payload into packages with more than 2.25 million weekly downloads, putting downstream installs and lock files at risk. The trojanized versions were published through a compromised GitHub Actions release path in the @asyncapi namespace during a July 14 exposure window. The malicious code could establish persistence, contact external infrastructure, and collect secrets from development environments. Even after removal from npm, existing installs can still carry the payload until teams clean packages, rebuild lock files, and rotate credentials.