AsyncAPI npm packages infected with credential-stealing malware
ID: 9fc2d7f1-ccdc-5ce3-8146-f3176d6ac03d
STIX ID: report--9fc2d7f1-ccdc-5ce3-8146-f3176d6ac03d
Feed Name: Bleeping Computer
On 14 July an attacker abused a misconfigured GitHub Actions CI/CD workflow to publish five trojanized AsyncAPI packages to npm (cumulatively downloaded millions of times), delivering a multi-stage RAT/info-stealer that loads a second-stage from IPFS and a 92,000-line modular third-stage with persistence and C2 over HTTP, Nostr, Ethereum smart contracts, and libp2p; packages were removed after an approximate 4-hour exposure window, but existing installs and lockfiles may remain compromised and remediation (pinning, regenerating lockfiles, removing payload, rotating credentials) is recommended.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
