A commit to the asyncapi/generator GitHub repository injected obfuscated JavaScript into source files across multiple packages, and four malicious versions were then published to npm on 2026-07-14. The active incident affects high-download packages including @asyncapi/generator, @asyncapi/generator-components, @asyncapi/generator-helpers, and @asyncapi/specs, with no revert, deprecation, or maintainer advisory published yet. #asyncapi/generator #asyncapi/specs
Keypoints
- The asyncapi/generator GitHub repository was compromised through commit 3eab3ec9304aa26081358330491d3cfeb55cc245, which injected obfuscated JavaScript into source files.
- Four malicious npm package versions were released on 2026-07-14.
- Affected packages include @asyncapi/generator 3.3.1, @asyncapi/generator-components 0.7.1, @asyncapi/generator-helpers 1.1.1, and @asyncapi/specs 6.11.2 plus 6.11.2-alpha.1.
- The combined pre-incident weekly download volume for the affected packages exceeds 3 million.
- @asyncapi/specs alone accounts for roughly 2 million downloads per week, making this a high-exposure supply-chain event.
- No revert, deprecation, or maintainer advisory has been published for the malicious releases at the time of writing.
- Datadog Code Security can be used to identify hosts, containers, and build environments where the compromised versions were installed.
MITRE Techniques
- [T1059.007] JavaScript β Malicious obfuscated JavaScript was injected into source files and likely executed within package install or runtime contexts (βinjected obfuscated JavaScript into source files across multiple packagesβ).
Indicators of Compromise
- [Git commit] source control compromise used to introduce the malicious code β 3eab3ec9304aa26081358330491d3cfeb55cc245
- [npm package versions] malicious releases published to npm β @asyncapi/[email protected], @asyncapi/[email protected], and other 2 versions
- [npm package versions] additional affected releases β @asyncapi/[email protected], @asyncapi/[email protected] and 6.11.2-alpha.1
Read more: https://securitylabs.datadoghq.com/articles/compromised-asyncapi-npm-packages/