logo

​ ​AsyncAPI npm packages infected with credential-stealing malware

ID: 9fc2d7f1-ccdc-5ce3-8146-f3176d6ac03d

STIX ID: report--9fc2d7f1-ccdc-5ce3-8146-f3176d6ac03d

Feed Name: Bleeping Computer

Threat Score
85/100

Date Published: 2026-07-15

Date Updated: 2026-07-15

Author: Bill Toulas

...
...

On 14 July an attacker abused a misconfigured GitHub Actions CI/CD workflow to publish five trojanized AsyncAPI packages to npm (cumulatively downloaded millions of times), delivering a multi-stage RAT/info-stealer that loads a second-stage from IPFS and a 92,000-line modular third-stage with persistence and C2 over HTTP, Nostr, Ethereum smart contracts, and libp2p; packages were removed after an approximate 4-hour exposure window, but existing installs and lockfiles may remain compromised and remediation (pinning, regenerating lockfiles, removing payload, rotating credentials) is recommended.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.