AsyncAPI malicious npm package supply-chain malware
Malware Activity
Summary
Hide ▲
Show ▼
Malicious AsyncAPI npm releases pushed a remote access trojan and info-stealing payload into packages with more than 2.25 million weekly downloads, putting downstream installs and lock files at risk. The trojanized versions were published through a compromised GitHub Actions release path in the @asyncapi namespace during a July 14 exposure window. The malicious code could establish persistence, contact external infrastructure, and collect secrets from development environments. Even after removal from npm, existing installs can still carry the payload until teams clean packages, rebuild lock files, and rotate credentials.
Related Happenings
AsyncAPI repositories and npm publishing workflow hit by network compromise
Incident
H score27
First: 15.07.2026 12:16
Last: 15.07.2026 12:16
Sources 1
How related:
Multiple security companies confirmed that on July 14, an attacker compromised two AsyncAPI GitHub repositories and injected malware into project files.
About this happening:
The **AsyncAPI** npm publishing pipeline was **compromised** in a **July 14** supply-chain attack that used the project’s normal **GitHub Actions** release path to publish trojani...
AsyncAPI repositories and npm publishing workflow hit by network compromise
IncidentHow related: Multiple security companies confirmed that on July 14, an attacker compromised two AsyncAPI GitHub repositories and injected malware into project files.
About this happening: The **AsyncAPI** npm publishing pipeline was **compromised** in a **July 14** supply-chain attack that used the project’s normal **GitHub Actions** release path to publish trojani...
Compromised @asyncapi npm packages distributing the Miasma loader
Malware Activity
H score29
First: 15.07.2026 12:16
Last: 15.07.2026 12:16
Sources 1
About this happening:
**Four compromised @asyncapi npm packages** now deliver a **multi-stage botnet loader** when imported, exposing consumers to **Miasma** payloads during normal Node.js module load....
Compromised @asyncapi npm packages distributing the Miasma loader
Malware ActivityAbout this happening: **Four compromised @asyncapi npm packages** now deliver a **multi-stage botnet loader** when imported, exposing consumers to **Miasma** payloads during normal Node.js module load....
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware Activity
H score3
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware ActivityAbout this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
AUR package-hijacking campaign delivering atomic-lockfile
Campaign
H score11
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
AUR package-hijacking campaign delivering atomic-lockfile
CampaignAbout this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
Timeline
-
15.07.2026 18:37 1 articles · 0h ago
AsyncAPI repositories are compromised and trojanized npm packages are published
Campaign Scope UpdateOn July 14, an attacker compromised two AsyncAPI GitHub repositories, exploited a misconfigured GitHub Actions workflow, and pushed trojanized packages in the @asyncapi namespace through npm's GitHub OIDC trusted-publisher integration. The malicious releases included @asyncapi/generator 3.3.1, @asyncapi/generator-helpers 1.1.1, @asyncapi/generator-components 0.7.1, @asyncapi/specs 6.11.2-alpha.1, and @asyncapi/specs 6.11.2, reaching a cumulative weekly download count of more than 2.25 million.
Show sources
- AsyncAPI npm packages infected with credential-stealing malware — www.bleepingcomputer.com — 15.07.2026 18:37
-
15.07.2026 18:37 2 articles · 0h ago
Analysts map a multi-stage AsyncAPI malware framework with secret-stealing behavior
Technical Analysis UpdateOn the article publication day, multiple security firms described the malicious AsyncAPI payload chain as an obfuscated first-stage JavaScript downloader, a second-stage script retrieved from the IPFS peer-to-peer content delivery network, and a third-stage 92,000-line malware framework that establishes persistence and communicates over HTTP, Nostr relays, Ethereum smart contracts, and a libp2p mesh network. The code can also download Gitleaks and HackBrowserData, while Aikido said the data-harvesting tool exits before collecting anything and Ox Security noted a local check for Russia that terminates the process on a match.
Show sources
- AsyncAPI npm packages infected with credential-stealing malware — www.bleepingcomputer.com — 15.07.2026 18:37
- AsyncAPI npm packages infected with credential-stealing malware — www.bleepingcomputer.com — 15.07.2026 18:37