Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

​ ​AsyncAPI npm packages infected with credential-stealing malware

Five malicious versions of AsyncAPI npm packages were published in a supply-chain attack delivering a remote access trojan with credential-stealing capabilities. The attack compromised the npm package registry with info-stealing malware.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Multiple AsyncAPI npm packages; exact reach depends on download counts and user adoption of malicious versions
Ecosystems
Attack vectors
Affected entities
  • AsyncAPI packagesFive malicious versions published to npm

Five malicious versions of AsyncAPI packages were published to the Node Package Manager (npm) registry in a confirmed supply-chain attack. The compromised packages contained a remote access trojan with information-stealing capabilities, allowing attackers to exfiltrate credentials and sensitive data from affected systems.\n\nThe attack targeted the npm ecosystem, a critical dependency source for JavaScript and Node.js projects. Developers who installed the malicious versions during the window of availability would have executed the trojan on their systems and in their build pipelines.\n\nThis incident represents a direct compromise of package artifacts on the npm registry, affecting any downstream users or projects that depend on the affected AsyncAPI packages.

Indicators of compromise

Packages
  • AsyncAPI packages (five malicious versions)

Remediation

  • Identify and audit all installations of AsyncAPI npm packages, particularly versions published around the attack window
  • Remove or downgrade to known-clean versions of affected AsyncAPI packages
  • Scan systems and build environments for signs of the remote access trojan and credential theft
  • Rotate any credentials or secrets that may have been exposed on affected systems
  • Review npm package integrity and enable package signature verification where available
  • Monitor for unauthorized access or lateral movement from compromised development environments

Sources

  1. ​ ​AsyncAPI npm packages infected with credential-stealing malware · BleepingComputer

Cite this entry

"​ ​AsyncAPI npm packages infected with credential-stealing malware." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 15, 2026; last updated July 15, 2026. https://supplychainattack.org/incident/asyncapi-npm-packages-infected-with-credential-stealing-malware-1676vi

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. resolvedcritical

    Malicious code in rhynpm (npm)

    The npm package rhynpm was found to contain malicious code. The package was identified by the OpenSSF malicious packages project and reported via GitHub Security Advisory GHSA-5jr8-4283-75xm.

    npmCompromised package
  2. activecritical

    Malware in fastify-addon

    Malware discovered in the npm package fastify-addon. Systems with this package installed or running are considered fully compromised and require immediate remediation.

    npmCompromised package
  3. resolvedcritical

    Malware in npm-rce-poc

    The npm package npm-rce-poc contained malware that granted full system compromise to attackers. Any computer with this package installed or running should be considered fully compromised.

    npmCompromised package
  4. containedcritical

    Malware in datefmt-helper

    Malware was discovered in the npm package datefmt-helper. Systems with this package installed are considered fully compromised and require immediate remediation.

    npmCompromised package