Cyber Warfare · Today's Signal

AsyncAPI's npm packages got backdoored — check your lockfiles now

Published 2026-07-15 · SAL Cyber Command Intelligence Network
AsyncAPI's npm packages got backdoored — check your lockfiles now

Multiple npm packages published under the AsyncAPI organization were found infected with credential-stealing malware, according to reporting from BleepingComputer and The Hacker News. AsyncAPI is a widely used open-source specification and tooling ecosystem for describing event-driven APIs, meaning the compromised packages sit in the dependency trees of a meaningful number of backend and messaging-infrastructure projects rather than in some obscure niche library nobody imports.

This is the same playbook that's hit npm repeatedly over the past two years: an attacker gains access to a maintainer account or publishing pipeline for a trusted, moderately popular package, slips a credential-harvesting payload into a routine-looking version bump, and lets the ecosystem's own automation do the distribution work. CI pipelines pull the update automatically, developers run `npm install` without a second thought, and the malware is inside the build before anyone's looked at a diff. The pattern keeps working because open-source supply chains still run on implicit trust in maintainer identity, not on verified provenance — and attackers have learned that compromising one popular package beats phishing a thousand individual developers.

The SAL read: if AsyncAPI tooling touches your stack, don't wait for a postmortem — audit your lockfiles for the affected versions today, rotate any credentials that build agents or CI runners had access to during the exposure window, and treat every "routine" dependency update from here forward as something that needs a diff review, not a rubber stamp.

Sources: BLEEPINGCOMPUTER · THE HACKER NEWS
SAL SENTRY — your private AI security operations center.24/7 watch on network, cloud, endpoints, and email. Flat $999/mo. Live in 48 hours.