Cloud security firm Upwind revealed a coordinated attack targeting the AsyncAPI ecosystem’s software release process, involved multiple GitHub repositories and publishing pipelines. The campaign allowed malicious code to be distributed through official npm packages in ways that evade common detection methods.
- Attackers accessed multiple AsyncAPI npm publishing pipelines
- Malicious code executed during normal package imports, not just install
- Security risks extend to developer workstations and CI/CD systems
What happened
Upwind’s investigation uncovered a multi-faceted attack campaign that compromised more than one official AsyncAPI npm package repository and related publishing workflows. This was not an isolated incident involving just one package but a coordinated effort targeting multiple release branches and using different OpenID Connect identities for publishing.
The attackers embedded malicious code that activated during typical usage of the packages, not through the usual preinstall or postinstall methods. This subtle approach enabled the malware to evade detection tools focused on monitoring installation scripts, allowing backdoors to enter applications via expected workflows.
Why it matters
The breach highlights a fundamental vulnerability in modern software supply chains, where developers rely heavily on open source npm packages through automated dependency management. The attack exploited trust in official package channels, posing serious risks to ecosystems downstream of affected repositories.
Since malicious code ran during normal invocation of the compromised packages, affected environments—including developer machines and CI/CD pipelines—may already be infiltrated. This incident underscores the danger of supply chain attacks that target the software release process itself rather than individual components.
What to watch next
Organizations using AsyncAPI npm packages should audit their dependencies, confirm affected version usage, and consider pinning to verified safe releases. Reviewing lockfiles, Software Bills of Materials (SBOMs), and dependency updates for anomalies is critical to mitigating risks from this incident.
Additionally, any credentials accessible from compromised developer workstations or CI/CD systems should be rotated promptly. The broader software community will likely watch how these sophisticated supply chain attacks evolve, emphasizing the need for improved security in release pipelines.