2 min read

AsyncAPI npm breach hit multiple release pipelines

Upwind says attackers compromised several official AsyncAPI npm packages by breaching multiple repos and publishing pipelines.

Image: TNW

A coordinated attack on official AsyncAPI npm packages appears to have gone well beyond a single poisoned dependency. In a new investigation, cloud security firm Upwind said attackers compromised multiple repositories and publishing pipelines, letting them ship backdoored code through legitimate release channels.

According to Upwind, the campaign touched several parts of the AsyncAPI ecosystem. Researchers confirmed compromises in two separate GitHub repositories and later found a second independent repository compromise. They also saw attacks targeting different release branches and abuse of different OpenID Connect (OIDC) publishing identities within a short period, suggesting the attackers had access to more than one path for publishing packages.

What stood out was how the malicious code ran. Upwind said the attackers did not rely on the usual preinstall or postinstall npm scripts often associated with supply chain attacks. Instead, the code executed during normal package imports or through other execution paths, making it harder to catch with security tools that mainly watch installation events.

Upwind said the same infrastructure and malware patterns appeared repeatedly across the compromised repositories and pipelines, pointing to a single coordinated operation aimed at the software release process itself.

Recommended reading

Telegram’s t.me links return after sanctions hiccup

“This wasn’t just a malicious package -it was a compromise of trust. Multiple official AsyncAPI packages were published with backdoored code from separate repositories and publishing pipelines, showing that attackers are increasingly targeting the software release process itself.”

Amiram Shachar, CEO and Co-Founder of Upwind

The warning extends beyond package maintainers. Because the affected packages were published through official channels and looked legitimate, developer workstations and CI/CD environments that imported them should be treated as potentially compromised, Upwind said.

The company recommends that organizations:

  • Check whether affected package versions entered development environments
  • Verify exact dependency versions rather than assuming current releases are safe
  • Pin dependencies to verified versions
  • Review dependency updates, lockfiles, and Software Bills of Materials (SBOMs) for unexpected changes
  • Rotate credentials that were accessible from impacted developer machines or CI/CD runners

Upwind said it is continuing to monitor the campaign as attackers shift toward techniques that trigger during ordinary application behavior rather than during package installation.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via TNW

// Keep reading