AsyncAPI npm packages infected with credential-stealing malware
Five malicious versions of AsyncAPI npm packages were published in a supply-chain attack delivering a remote access trojan with credential-stealing capabilities. The attack compromised the npm package registry with info-stealing malware.
- Disclosed
- Last updated
- Blast radius
- Multiple AsyncAPI npm packages; exact reach depends on download counts and user adoption of malicious versions
- Ecosystems
- Attack vectors
- Affected entities
- AsyncAPI packagesFive malicious versions published to npm
Five malicious versions of AsyncAPI packages were published to the Node Package Manager (npm) registry in a confirmed supply-chain attack. The compromised packages contained a remote access trojan with information-stealing capabilities, allowing attackers to exfiltrate credentials and sensitive data from affected systems.\n\nThe attack targeted the npm ecosystem, a critical dependency source for JavaScript and Node.js projects. Developers who installed the malicious versions during the window of availability would have executed the trojan on their systems and in their build pipelines.\n\nThis incident represents a direct compromise of package artifacts on the npm registry, affecting any downstream users or projects that depend on the affected AsyncAPI packages.
Indicators of compromise
- Packages
- AsyncAPI packages (five malicious versions)
Remediation
- Identify and audit all installations of AsyncAPI npm packages, particularly versions published around the attack window
- Remove or downgrade to known-clean versions of affected AsyncAPI packages
- Scan systems and build environments for signs of the remote access trojan and credential theft
- Rotate any credentials or secrets that may have been exposed on affected systems
- Review npm package integrity and enable package signature verification where available
- Monitor for unauthorized access or lateral movement from compromised development environments
Sources
- AsyncAPI npm packages infected with credential-stealing malware · BleepingComputer
Cite this entry
" AsyncAPI npm packages infected with credential-stealing malware." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 15, 2026; last updated July 15, 2026. https://supplychainattack.org/incident/asyncapi-npm-packages-infected-with-credential-stealing-malware-1676vi
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- resolvedcritical
Malicious code in rhynpm (npm)
The npm package rhynpm was found to contain malicious code. The package was identified by the OpenSSF malicious packages project and reported via GitHub Security Advisory GHSA-5jr8-4283-75xm.
npmCompromised package - activecritical
Malware in fastify-addon
Malware discovered in the npm package fastify-addon. Systems with this package installed or running are considered fully compromised and require immediate remediation.
npmCompromised package - resolvedcritical
Malware in npm-rce-poc
The npm package npm-rce-poc contained malware that granted full system compromise to attackers. Any computer with this package installed or running should be considered fully compromised.
npmCompromised package - containedcritical
Malware in datefmt-helper
Malware was discovered in the npm package datefmt-helper. Systems with this package installed are considered fully compromised and require immediate remediation.
npmCompromised package