Select a theme from the list.
Insights

From our experts

Latest
Microsoft Makes Passkeys the Entra ID Default and Sets a Deadline for Native SMS AuthenticationSonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 PatchingCritical Chrome and Firefox Updates Put Browser Restarts Back on the Security AgendaAsyncAPI Package Breach Turns Trusted Build Pipelines Into a Malware Delivery SystemMicrosoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe GoalGlobal CMS Exploitation Wave Plants Webshells on Business WebsitesExposed Attack Server Unmasks Three Microsoft 365 Phishing OperationsMicrosoft Prepares Windows Customers for a Faster Era of AI-Driven PatchingLaser Attack Exposes an Unpatchable Weakness in Tangem Crypto Wallet CardsGlobal CMS Exploitation Wave Puts Business Websites at Immediate RiskMacOS Malware 'Poseidon Stealer' Rebranded as 'Odyssey Stealer'CISA Warns of Critical Vulnerabilities in Mitsubishi Electric ICS HardwareMicrosoft Makes Passkeys the Entra ID Default and Sets a Deadline for Native SMS AuthenticationSonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 PatchingCritical Chrome and Firefox Updates Put Browser Restarts Back on the Security AgendaAsyncAPI Package Breach Turns Trusted Build Pipelines Into a Malware Delivery SystemMicrosoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe GoalGlobal CMS Exploitation Wave Plants Webshells on Business WebsitesExposed Attack Server Unmasks Three Microsoft 365 Phishing OperationsMicrosoft Prepares Windows Customers for a Faster Era of AI-Driven PatchingLaser Attack Exposes an Unpatchable Weakness in Tangem Crypto Wallet CardsGlobal CMS Exploitation Wave Puts Business Websites at Immediate RiskMacOS Malware 'Poseidon Stealer' Rebranded as 'Odyssey Stealer'CISA Warns of Critical Vulnerabilities in Mitsubishi Electric ICS Hardware
Security Insight

AsyncAPI Package Breach Turns Trusted Build Pipelines Into a Malware Delivery System

AsyncAPI Package Breach Turns Trusted Build Pipelines Into a Malware Delivery System
Photo by Tima Miroshnichenko on Pexels

Attackers compromised four packages in the AsyncAPI npm namespace and used the project's legitimate release workflows to distribute a sophisticated multi-stage botnet loader. The incident highlights a serious limitation of software provenance: a package can carry valid attestations while still containing malicious code introduced through compromised repository access.

News Date: 2026-07-15

A software supply-chain attack involving the widely recognized AsyncAPI project has demonstrated how trusted development infrastructure can be turned against its own users. Four npm packages in the @asyncapi namespace were compromised and used to distribute an obfuscated loader that retrieved an encrypted malware framework from the InterPlanetary File System.

Malware Activated During Normal Use

The malicious releases affected specific versions of generator-helpers, generator-components, generator and specs. Unlike familiar npm attacks that rely on installation scripts, this implant activated when a poisoned module was loaded by Node.js during a build or development task. That distinction matters because security policies focused exclusively on install-time behavior may not detect the execution.

The final payload, identified by researchers as Miasma, supports credential theft, persistence, lateral movement and propagation through software registries. It also includes several command-and-control options, including HTTP, IPFS, peer-to-peer protocols and an Ethereum smart contract. Researchers reported that the malware could establish persistence through Windows Registry keys, Linux system services, scheduled tasks and macOS launch agents.

Valid Provenance Did Not Mean Safe Code

Investigators believe the attacker obtained repository push access and then allowed the project's genuine GitHub Actions workflow to publish the packages. No npm publishing token needed to be stolen. As a result, the malicious releases received legitimate provenance attestations because they were technically produced by an authorized workflow.

In my view, this is the most important lesson from the incident. Provenance can confirm where a package was built, but it cannot prove that every commit entering the build was authorized or trustworthy. Organizations should treat attestations as one control within a larger verification process, not as an automatic declaration of safety.

Recommended Response

  • Identify systems that imported or executed the affected package versions.
  • Isolate and investigate exposed developer workstations and CI runners.
  • Rotate credentials, tokens and secrets accessible to affected build processes.
  • Review repository push events, branch protections and workflow modifications.
  • Require independent approval for release-triggering commits.

The malicious versions have been removed from npm, but deletion does not clean systems that already loaded them. Security teams should assume potential compromise wherever the affected code ran and conduct endpoint, credential and network investigations accordingly.

Talk to our team →

Latest

Microsoft Makes Passkeys the Entra ID Default and Sets a Deadline for Native SMS AuthenticationJul 15, 2026SonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 PatchingJul 15, 2026Critical Chrome and Firefox Updates Put Browser Restarts Back on the Security AgendaJul 15, 2026AsyncAPI Package Breach Turns Trusted Build Pipelines Into a Malware Delivery SystemJul 15, 2026Microsoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe GoalJul 13, 2026Global CMS Exploitation Wave Plants Webshells on Business WebsitesJul 13, 2026

Most read

1Global CMS Exploitation Wave Plants Webshells on Business Websites2Exposed Attack Server Unmasks Three Microsoft 365 Phishing Operations3Microsoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe Goal4Laser Attack Exposes an Unpatchable Weakness in Tangem Crypto Wallet Cards5Microsoft Prepares Windows Customers for a Faster Era of AI-Driven Patching6Switzerland Mandates 24-Hour Cyberattack Reporting for Critical Sectors