Five malicious AsyncAPI packages were published to npm in a supply-chain attack that used compromised GitHub Actions workflows to deliver a remote access trojan with data-stealing capabilities. The attack affected widely used @asyncapi packages, leveraged legitimate publishing pipelines and SLSA attestations, and targeted secrets, browser data, wallets, and CI/CD credentials. #AsyncAPI #GitHubActions #npm #Miasma
Keypoints
- Attackers compromised two AsyncAPI GitHub repositories and injected malware into project files.
- Five trojanized packages were published in the @asyncapi namespace on npm.
- The supply-chain attack abused a misconfigured GitHub Actions workflow and trusted-publisher integration.
- The malware used multiple stages, including IPFS retrieval and a modular framework with persistence.
- The payload targeted secrets, credentials, wallets, databases, and CI/CD data before being removed from npm.