Trojanised AsyncAPI packages slip onto npm, hitting a library downloaded 2.25 million times a week
Attackers hijacked a GitHub build pipeline on 14 July to publish five poisoned versions of AsyncAPI tools, wiring in a stealthy info-stealer that talks to its operators over Ethereum and peer-to-peer networks.

Key points
- Five malicious versions of AsyncAPI packages were published to npm on 14 July 2025 during a four-hour window between 07:10 and 11:18 UTC.
- The affected packages have a combined weekly download count of more than 2.25 million, with @asyncapi/specs alone accounting for 2.1 million.
- Attackers broke in through a misconfigured GitHub Actions build pipeline, not by stealing developer passwords or planting a rogue maintainer.
- The malware tried to steal credentials, browser data, crypto wallets and secrets from AI developer tools, but researchers at Aikido found the data-stealing routines exited before collecting anything.
- All five malicious versions have been pulled from npm, but any machine that installed them during the exposure window may still be infected.
Someone slipped booby-trapped code into a widely used developer toolkit. For a few hours on 14 July, if you downloaded certain AsyncAPI packages from npm (the giant public library where JavaScript developers grab reusable code), you got a hidden info-stealer along with them.
AsyncAPI is a popular open-source project for describing message-based software systems. Its packages are pulled down millions of times a week. That scale is why this matters.
Five poisoned versions went out under the @asyncapi name. The biggest, @asyncapi/specs version 6.11.2, sees 2.1 million weekly downloads on its own. The others hit between 34,000 and 101,000 weekly downloads each.
How did the hackers get in?
They abused the automated build system, not a stolen password. As reported by BleepingComputer and confirmed by several security firms, the attackers found a misconfigured GitHub Actions workflow (the robot that automatically builds and publishes new versions of the software) on two AsyncAPI repositories. They pushed a commit under a fake identity, and the project's own trusted release robot did the rest.
That matters because the resulting packages carried legitimate SLSA provenance attestations, a kind of cryptographic receipt that says "yes, this really was built by the official pipeline". The receipt was genuine. The code inside it was not.
It is the software supply-chain equivalent of a burglar getting the factory to stamp its own seal of authenticity on his forged goods.
What the malware actually does
The first stage is a scrap of obfuscated JavaScript that runs when the poisoned package is imported. It fetches a second stage from IPFS, a peer-to-peer file network that is harder to shut down than a normal web server. That in turn pulls a third stage: a 92,000-line malware framework, according to Wiz, that hides on the machine and phones home over several channels including plain web traffic, the Nostr messaging protocol, Ethereum smart contracts and a libp2p peer-to-peer network.
The design is exotic. The goal is not.
It hunts for credentials, authentication tokens, browser-saved passwords, secrets from build pipelines and AI coding tools, cryptocurrency wallets, and database logins. It downloads two well-known scanning tools, Gitleaks and HackBrowserData, to help sweep for goodies.
There is one twist worth noting. Researchers at Ox Security found the malware checks whether it is running on a Russian system and quietly quits if it is.
SafeDep researchers say the payload resembles a known backdoor called Miasma, but suspect this is either a private fork by the same crew or a copycat who picked up the name after the original source leaked.
Should ordinary developers worry?
If you did not install AsyncAPI packages between 07:10 and 11:18 UTC on 14 July, no. The malicious versions are gone from npm.
If you did, or you are not sure, treat any machine that touched those packages as suspect. Pin your dependencies to known-good versions, rebuild your lock files from scratch, hunt for a hidden file at NodeJS/sync.js, kill any suspicious processes, and rotate every credential the machine could have seen. Aikido notes that although the automated theft routine crashed, an attacker with hands on the keyboard could still have used the shell access to grab data manually.
For everyone else: this one is a developer problem, not a consumer one. But it is another reminder that the plumbing under modern software is only as trustworthy as the CI pipeline that built it.



