🟠 High  |  Source: The Hacker News


Four npm packages within the @asyncapi namespace were compromised and used to distribute a multi-stage botnet loader, meaning any project installing these packages during the affected window may have executed malicious code. The attack targets the software supply chain by hijacking trusted, widely-used open-source tooling. This is particularly concerning given AsyncAPI’s popularity in API-driven and event-driven architecture projects.

Security Architect’s Take: Audit your CI/CD pipelines and developer environments for installations of the four affected @asyncapi packages and treat any affected systems as potentially compromised. Implement or review npm package integrity controls — including lockfile enforcement, private registry mirroring, and automated supply chain scanning tools such as Socket or Sigstore — to detect future namespace-level compromises before they reach production.

Original advisory: Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware