Find notable cyber news and cases, enriched with sources, timelines, and signals.

AsyncAPI repositories and npm publishing workflow hit by network compromise

Incident
First reported
Last updated
Happening score
H score 18
1 unique sources, 1 articles

Summary

Hide ▲

The AsyncAPI npm publishing pipeline was compromised, allowing malicious package versions to be published through the project’s normal release path and putting downstream consumers at risk. The attacker obtained push access to the repositories and abused GitHub Actions release automation, which produced packages with apparently valid OIDC provenance attestations. The compromise did not rely on a stolen npm token, and the affected versions were later unpublished from the npm registry.

Related Happenings

Compromised @asyncapi npm packages distributing the Miasma loader

Malware Activity
H score29 First: 15.07.2026 12:16 Last: 15.07.2026 12:16 Sources 1

How related: Four compromised npm packages in the @asyncapi namespace have been observed distributing a multi-stage botnet loader, according to findings from OX Security, SafeDep, Socket, and StepSecurity.

About this happening: **Four compromised @asyncapi npm packages** now deliver a **multi-stage botnet loader** when imported, exposing consumers to **Miasma** payloads during normal Node.js module load....

@Injectivelabs/[email protected] wallet-stealing package

Malware Activity
H score30 First: 10.07.2026 20:29 Last: 10.07.2026 20:29 Sources 1

About this happening: The malicious **@injectivelabs/[email protected]** package is a wallet-stealing malware activity that can expose **private keys** and **mnemonic seed phrases** when library functions...

Codfish/semantic-release-action hit by network compromise

Incident
H score21 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

Easy-day-js Mastra package-publishing campaign

Campaign
H score30 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...

Timeline

  1. 15.07.2026 12:16 2 articles · 2h ago

    AsyncAPI release workflow publishes malicious npm packages

    Initial Disclosure

    Four compromised packages in the @asyncapi namespace—@asyncapi/[email protected], @asyncapi/[email protected], @asyncapi/[email protected], and @asyncapi/specs v6.11.2 and v6.11.2-alpha.1—were observed distributing a multi-stage botnet loader that delivers an encrypted second-stage payload named Miasma from IPFS. StepSecurity said the attacker gained push access to the repositories and used the project’s legitimate GitHub Actions release pipeline with valid OIDC provenance attestations, without stealing an npm token, and the malicious versions were later unpublished from the npm registry.

    Show sources