Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

​ ​AsyncAPI npm packages infected with credential-stealing malware

0
Medium
Malwareremote
Published: 07/15/2026 (07/15/2026, 15:37:27 UTC)
Source: Bleeping Computer

Description

Five malicious versions of AsyncAPI npm packages were published in a supply-chain attack that delivered a remote access trojan with credential and information-stealing capabilities. The attacker exploited a misconfigured GitHub Actions workflow to inject malware into legitimate release workflows, resulting in trojanized packages with valid provenance attestations. The malware includes a multi-stage payload that establishes persistence and communicates with command-and-control servers over multiple channels. Although some automated data harvesting functions reportedly do not work, manual exploitation remains possible. The malicious packages have been removed from npm, but existing installations and lock files may still contain the infected versions. The exposure window lasted approximately four hours on July 14, 2026. Recommended mitigation includes pinning to known-good versions, regenerating lock files, removing malicious payloads, terminating malicious processes, and rotating credentials.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/15/2026, 15:48:15 UTC

Technical Analysis

This threat involves a supply-chain attack on the AsyncAPI npm packages where an attacker compromised two AsyncAPI GitHub repositories by exploiting a misconfigured GitHub Actions CI/CD pipeline. The attacker pushed commits under a placeholder identity, allowing the legitimate release workflows to publish trojanized packages with valid SLSA provenance attestations. The infected packages include @asyncapi/generator 3.3.1, @asyncapi/generator-helpers 1.1.1, @asyncapi/generator-components 0.7.1, and @asyncapi/specs 6.11.2-alpha.1 and 6.11.2. The malware is a multi-stage remote access trojan that downloads a large modular malware framework from IPFS, establishes persistence, and communicates with C2 servers via HTTP, Nostr relays, Ethereum smart contracts, and libp2p mesh networks. Its primary purpose is stealing credentials, authentication keys, tokens, browser data, CI/CD secrets, cryptocurrency wallets, and databases. Some automated data harvesting functions are non-functional, but manual exploitation is possible. The malware avoids infecting systems in Russia. The malicious packages have been removed from npm, but residual risk remains from existing installations and lock files created during the exposure window of about four hours on July 14, 2026.

Potential Impact

The attack compromises the integrity of AsyncAPI npm packages by injecting a remote access trojan capable of stealing sensitive information such as credentials, authentication tokens, browser data, CI/CD secrets, cryptocurrency wallets, and databases. The malware establishes persistence and communicates with multiple command-and-control channels, enabling ongoing unauthorized access and data exfiltration. Although some automated data collection features are reportedly non-functional, attackers can manually leverage the shell to harvest data. The presence of malicious versions in existing installations and lock files poses a continued risk until remediated.

Mitigation Recommendations

All five malicious package versions have been removed from npm. Developers should pin dependencies to known-good versions and regenerate lock files to avoid installing the trojanized packages. It is critical to remove the hidden malicious payload file 'NodeJS/sync.js' from affected systems, terminate any running malicious processes, and rotate all credentials and secrets that may have been exposed. These steps address the residual risk from the exposure window between 07:10 and 11:18 UTC on July 14, 2026. No official patch is applicable since this is a supply-chain compromise; remediation depends on cleaning affected environments and updating dependencies.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.bleepingcomputer.com/news/security/-asyncapi-npm-packages-infected-with-credential-stealing-malware/","fetched":true,"fetchedAt":"2026-07-15T15:47:38.997Z","wordCount":861}

Threat ID: 6a57ab9b68715ace43fd775a

Added to database: 07/15/2026, 15:47:39 UTC

Last enriched: 07/15/2026, 15:48:15 UTC

Last updated: 07/15/2026, 16:55:12 UTC

Views: 7

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses