Find notable cyber news and cases, enriched with sources, timelines, and signals.

AsyncAPI malicious npm package supply-chain malware

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

Malicious AsyncAPI npm releases pushed a remote access trojan and info-stealing payload into packages with more than 2.25 million weekly downloads, putting downstream installs and lock files at risk. The trojanized versions were published through a compromised GitHub Actions release path in the @asyncapi namespace during a July 14 exposure window. The malicious code could establish persistence, contact external infrastructure, and collect secrets from development environments. Even after removal from npm, existing installs can still carry the payload until teams clean packages, rebuild lock files, and rotate credentials.

Related Happenings

AsyncAPI repositories and npm publishing workflow hit by network compromise

Incident
H score27 First: 15.07.2026 12:16 Last: 15.07.2026 12:16 Sources 1

How related: Multiple security companies confirmed that on July 14, an attacker compromised two AsyncAPI GitHub repositories and injected malware into project files.

About this happening: The **AsyncAPI** npm publishing pipeline was **compromised** in a **July 14** supply-chain attack that used the project’s normal **GitHub Actions** release path to publish trojani...

Compromised @asyncapi npm packages distributing the Miasma loader

Malware Activity
H score29 First: 15.07.2026 12:16 Last: 15.07.2026 12:16 Sources 1

About this happening: **Four compromised @asyncapi npm packages** now deliver a **multi-stage botnet loader** when imported, exposing consumers to **Miasma** payloads during normal Node.js module load....

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
H score3 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...

AUR package-hijacking campaign delivering atomic-lockfile

Campaign
H score11 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...

Timeline

  1. 15.07.2026 18:37 1 articles · 0h ago

    AsyncAPI repositories are compromised and trojanized npm packages are published

    Campaign Scope Update

    On July 14, an attacker compromised two AsyncAPI GitHub repositories, exploited a misconfigured GitHub Actions workflow, and pushed trojanized packages in the @asyncapi namespace through npm's GitHub OIDC trusted-publisher integration. The malicious releases included @asyncapi/generator 3.3.1, @asyncapi/generator-helpers 1.1.1, @asyncapi/generator-components 0.7.1, @asyncapi/specs 6.11.2-alpha.1, and @asyncapi/specs 6.11.2, reaching a cumulative weekly download count of more than 2.25 million.

    Show sources
  2. 15.07.2026 18:37 2 articles · 0h ago

    Analysts map a multi-stage AsyncAPI malware framework with secret-stealing behavior

    Technical Analysis Update

    On the article publication day, multiple security firms described the malicious AsyncAPI payload chain as an obfuscated first-stage JavaScript downloader, a second-stage script retrieved from the IPFS peer-to-peer content delivery network, and a third-stage 92,000-line malware framework that establishes persistence and communicates over HTTP, Nostr relays, Ethereum smart contracts, and a libp2p mesh network. The code can also download Gitleaks and HackBrowserData, while Aikido said the data-harvesting tool exits before collecting anything and Ox Security noted a local check for Russia that terminates the process on a match.

    Show sources