Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

The AsyncAPI npm Supply Chain Attack: A Sophisticated Malware Campaign



In July 2026, the AsyncAPI organization was compromised, with malicious code injected into four packages with over 2 million weekly downloads. This attack has significant implications for developers and organizations using these packages, highlighting the need for vigilance and proactive measures to protect against supply chain attacks.

  • The AsyncAPI npm supply chain attack saw malicious code injected into four packages with over 2 million weekly downloads.
  • Researchers from OX Security discovered the attack in July 2026, which compromised the AsyncAPI organization and affected widely used packages.
  • The malicious code was a hybrid info-stealer, crypto-stealer, and Remote Access Trojan (RAT), designed to steal sensitive information and evade detection.
  • The attackers implemented measures such as IPFS and BitTorrent bootstrap nodes to maintain resilience and evade detection.
  • The malware can self-propagate by publishing itself into packages maintained by compromised developers, spreading further.
  • OX Security recommends revoking developer tokens, rotating secrets, auditing commits and package releases, monitoring connections, and checking for unauthorized package versions.



  • The world of cybersecurity is constantly evolving, with new threats emerging every day. One such threat that has recently garnered significant attention is the AsyncAPI npm supply chain attack, which saw malicious code injected into four packages with over 2 million weekly downloads. This article will delve into the details of this attack and its implications for developers and organizations.

    In July 2026, researchers from OX Security discovered that the AsyncAPI organization had been compromised, with malicious code injected into @asyncapi/generator 3.3.1, @asyncapi/generator-components 0.7.1, @asyncapi/generator-helpers 1.1.1, and @asyncapi/specs 6.11.2 and 6.11.2-alpha.1. These packages are widely used by developers building event-driven APIs, making the attack a significant concern for many organizations.

    The malicious code in question was described as a hybrid info-stealer, crypto-stealer, and Remote Access Trojan (RAT). This malware functions as a multi-stage attack, with the primary goal of stealing sensitive information from infected machines. The attackers have also implemented various measures to evade detection, including using IPFS, a legitimate peer-to-peer file storage network, to host their payload.

    The infrastructure choices made by the attackers are deliberate and designed for resilience. They use IPFS as a fallback command-and-control server if the primary C2 becomes unavailable. Additionally, they maintain communication through BitTorrent bootstrap nodes, giving them multiple fallback paths if any single channel is blocked at the network level.

    One of the most concerning aspects of this attack is its ability to self-propagate. If the malware finds valid authentication tokens for npm, PyPI, or Cargo on a compromised machine, it attempts to publish itself into packages maintained by that developer. This means that one compromised developer account can become a new distribution vector, allowing the malware to spread even further.

    The researchers have noted that this attack is not the same as previous campaigns such as Miasma and Shai-Hulud, despite some similarities. The attackers appear to be using deliberate misdirection tactics to send analysts chasing the wrong attribution trail.

    In response to this attack, OX Security recommends that users of affected package versions revoke all developer tokens associated with npm, PyPI, and Cargo on any machine that may have run these packages. They also advise rotating secrets, auditing recent commits and package releases in one's own registries for unauthorized changes, monitoring for unexpected outbound connections to BitTorrent bootstrap nodes or IPFS gateways, and checking whether any packages maintained by the user have had unauthorized versions published.

    The AsyncAPI npm supply chain attack serves as a reminder of the ongoing threat landscape in the world of cybersecurity. As developers and organizations continue to rely on third-party dependencies, they must remain vigilant and proactive in protecting themselves against such attacks.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-AsyncAPI-npm-Supply-Chain-Attack-A-Sophisticated-Malware-Campaign-ehn.shtml

  • https://securityaffairs.com/195395/security/asyncapi-npm-supply-chain-attack-malware-injected-into-packages-with-2-million-weekly-downloads.html


  • Published: Wed Jul 15 07:47:38 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us