AsyncAPI repositories and npm publishing workflow hit by network compromise
Incident
Summary
Hide ▲
Show ▼
The AsyncAPI npm publishing pipeline was compromised, allowing malicious package versions to be published through the project’s normal release path and putting downstream consumers at risk. The attacker obtained push access to the repositories and abused GitHub Actions release automation, which produced packages with apparently valid OIDC provenance attestations. The compromise did not rely on a stolen npm token, and the affected versions were later unpublished from the npm registry.
Related Happenings
Compromised @asyncapi npm packages distributing the Miasma loader
Malware Activity
H score29
First: 15.07.2026 12:16
Last: 15.07.2026 12:16
Sources 1
How related:
Four compromised npm packages in the @asyncapi namespace have been observed distributing a multi-stage botnet loader, according to findings from OX Security, SafeDep, Socket, and StepSecurity.
About this happening:
**Four compromised @asyncapi npm packages** now deliver a **multi-stage botnet loader** when imported, exposing consumers to **Miasma** payloads during normal Node.js module load....
Compromised @asyncapi npm packages distributing the Miasma loader
Malware ActivityHow related: Four compromised npm packages in the @asyncapi namespace have been observed distributing a multi-stage botnet loader, according to findings from OX Security, SafeDep, Socket, and StepSecurity.
About this happening: **Four compromised @asyncapi npm packages** now deliver a **multi-stage botnet loader** when imported, exposing consumers to **Miasma** payloads during normal Node.js module load....
@Injectivelabs/[email protected] wallet-stealing package
Malware Activity
H score30
First: 10.07.2026 20:29
Last: 10.07.2026 20:29
Sources 1
About this happening:
The malicious **@injectivelabs/[email protected]** package is a wallet-stealing malware activity that can expose **private keys** and **mnemonic seed phrases** when library functions...
@Injectivelabs/[email protected] wallet-stealing package
Malware ActivityAbout this happening: The malicious **@injectivelabs/[email protected]** package is a wallet-stealing malware activity that can expose **private keys** and **mnemonic seed phrases** when library functions...
Codfish/semantic-release-action hit by network compromise
Incident
H score21
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Codfish/semantic-release-action hit by network compromise
IncidentAbout this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Easy-day-js Mastra package-publishing campaign
Campaign
H score30
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Easy-day-js Mastra package-publishing campaign
CampaignAbout this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Timeline
-
15.07.2026 12:16 2 articles · 2h ago
AsyncAPI release workflow publishes malicious npm packages
Initial DisclosureFour compromised packages in the @asyncapi namespace—@asyncapi/[email protected], @asyncapi/[email protected], @asyncapi/[email protected], and @asyncapi/specs v6.11.2 and v6.11.2-alpha.1—were observed distributing a multi-stage botnet loader that delivers an encrypted second-stage payload named Miasma from IPFS. StepSecurity said the attacker gained push access to the repositories and used the project’s legitimate GitHub Actions release pipeline with valid OIDC provenance attestations, without stealing an npm token, and the malicious versions were later unpublished from the npm registry.
Show sources
- Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware — thehackernews.com — 15.07.2026 12:16
- Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware — thehackernews.com — 15.07.2026 12:16