Compromised @asyncapi npm Packages Deliver Multi-Stage Botnet Loader

Another JavaScript-ecosystem supply-chain compromise, confirmed by four vendors: four @asyncapi npm packages were observed distributing a multi-stage botnet loader, and all five malicious versions have since been pulled from npm — defender inventory work this week.

Share
Editorial illustration of an npm package emitting nested loader boxes toward a node cluster, marking compromised @asyncapi packages delivering a botnet loader.

Key Takeaways

  • Researchers on July 15, 2026 disclosed that four compromised packages in the @asyncapi npm namespace were observed distributing a multi-stage botnet loader, with confirmation from four vendors — OX Security, SafeDep, Socket, and StepSecurity — turning this week's defender work toward dependency inventory across organizations that depend on @asyncapi packages.
  • The affected packages and versions are named precisely — @asyncapi/generator-helpers@1.1.1, @asyncapi/generator-components@0.7.1, @asyncapi/generator@3.3.1, and @asyncapi/specs (v6.11.2 and v6.11.2-alpha.1) — and all five malicious versions have since been unpublished from the npm registry, so the live task is determining whether any affected version was ever installed or loaded in a build or developer workflow.
  • Several details remain unestablished at disclosure: no threat actor has been named, the download totals of the specific compromised versions are not quantified, and it is not established whether the AsyncAPI project has issued a formal notice — gaps that shape but do not delay the defender inventory task.

A multi-vendor-confirmed JavaScript-ecosystem supply-chain compromise — the defender task is inventory, dependency review, and endpoint scoping, not malware analysis.

SAN FRANCISCO, CALIF. — Researchers on July 15, 2026 disclosed that four compromised npm packages in the @asyncapi namespace were observed distributing a multi-stage botnet loader, in findings confirmed by four separate vendors. The packages sit inside the @asyncapi scope on npm — the JavaScript and Node.js package registry — and are widely pulled into projects that use the AsyncAPI project's code-generation tooling. For defenders, the disclosure is first of all an inventory problem: determining whether any of the named, compromised versions ever reached a build pipeline, a CI runner, or a developer machine, and treating any endpoint that loaded one as potentially exposed.

The compromise was reported by The Hacker News, under the headline "Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware," and independently documented by Socket and StepSecurity, alongside OX Security and SafeDep. That four vendors converged on the same set of packages is the load-bearing fact for a defender: the affected versions are named and confirmed, so the response is dependency review and endpoint scoping rather than forensics on a breached perimeter. The CyberSignal is deliberately not reconstructing how the loader operates once resident; that mechanism is the attacker's concern, not the defender's checklist.

At a Glance
FieldDetails
WhatFour compromised packages in the @asyncapi npm namespace, observed distributing a multi-stage botnet loader
Registry / scopenpm (JavaScript / Node.js registry); the @asyncapi scope
Affected package@asyncapi/generator-helpers@1.1.1
Affected package@asyncapi/generator-components@0.7.1
Affected package@asyncapi/generator@3.3.1
Affected package@asyncapi/specs (v6.11.2, v6.11.2-alpha.1)
Confirming vendorsOX Security, SafeDep, Socket, StepSecurity
DisclosedJuly 15, 2026, via The Hacker News
Registry statusAll five malicious versions since unpublished from npm
Threat actorNot named at disclosure

What Multi-Vendor Research Disclosed

According to The Hacker News, four compromised packages in the @asyncapi namespace were observed distributing a multi-stage botnet loader, with corroborating analyses from OX Security, SafeDep, Socket, and StepSecurity. The through-line across the four accounts is consistent: the malicious versions carried an injected component that, once the module was loaded, pulled down and ran a further stage. Researchers characterized the loader in botnet terms and noted capabilities including credential theft and self-propagation; restated as a defender fact, that means any host that actually executed an affected version should be scoped as potentially exposed rather than assumed clean.

One operational detail is worth surfacing precisely because it changes where exposure lives. Per the reporting, the malicious code did not rely on an npm install script; it ran when the affected module was loaded during normal use of the tooling. The practical consequence for defenders is that the presence of a compromised version in a lockfile is not the same as execution: exposure depends on whether a build or developer workflow actually called into the library. That distinction sharpens the inventory task — enumerate the affected versions, then determine which endpoints loaded them.

The Affected Package List and Defender Posture

The affected versions are named and should be matched verbatim against dependency trees and lockfiles: @asyncapi/generator-helpers@1.1.1, @asyncapi/generator-components@0.7.1, @asyncapi/generator@3.3.1, and @asyncapi/specs (v6.11.2 and v6.11.2-alpha.1). These are components of the AsyncAPI project's code-generation tooling, so the population most directly exposed is teams that generate code or documentation from AsyncAPI definitions — often inside build pipelines and CI, which is exactly where a load-time trigger matters.

The defender checklist requires no knowledge of how the loader works internally. Start with inventory: enumerate direct and transitive @asyncapi dependencies from lockfiles and any software bill of materials, then match the named versions against what is actually resolved — including on CI runners and developer laptops that may not appear in a production manifest. Where an affected version is found, pin or roll back to a known-good release, rebuild cleanly, and rotate any credentials that were available on a machine where the module ran. Because the reported effect is botnet activity, egress monitoring is the most relevant network-side control: unexpected outbound connections from build agents or developer machines are what distinguish a dormant dependency from one that executed.

Provenance Attested the Build, Not the Commit

The most instructive defender lesson concerns how the malicious versions were published. According to StepSecurity, the attacker is said to have gained push access to the repositories and used the project's own legitimate GitHub Actions release pipeline to publish the packages — with valid provenance attestations and no theft of an npm token. In the researchers' framing, this was a CI/CD pipeline compromise rather than a stolen maintainer credential or a malicious maintainer. The consequence is uncomfortable but important: the resulting packages carried legitimate provenance, which proves only that the project's authorized workflow produced them, not that the triggering commits were trustworthy. Provenance and trusted-publisher integrations narrow the attack surface; they do not, on their own, vouch for a compromised push.

That pattern is not new to this beat. The CyberSignal has previously covered how Shai-Hulud generated valid Sigstore provenance badges for its malicious npm packages, and how a GitHub CI/CD workflow backdoor reached thousands of repositories. For defenders, the takeaway is to treat provenance as one signal among several — useful, but not a substitute for scrutinizing what actually changed in a release.

Continuation Context: The JavaScript-Ecosystem Supply-Chain Thread

This disclosure lands in a now-familiar run of JavaScript-ecosystem supply-chain incidents. Only a day earlier, researchers disclosed 148 npm packages disguised as student proxies that reportedly turned browsers into a DDoS botnet, and the registry has been tightening defaults — as when npm disabled install scripts by default for newly published packages. The @asyncapi case is a reminder that a load-time trigger sidesteps exactly that install-script hardening. The broader thread also includes the Mastra project's contributor-account compromise that pushed 145 malicious packages and the recurring Miasma-lineage npm activity tracked earlier this year. Researchers noted string-level resemblances to prior Miasma and Shai-Hulud campaigns while stating this loader is not the same as, nor attributed to, those operations — a distinction the reporting is careful to preserve, and one defenders should not collapse.

AsyncAPI Project Response and What to Watch For

The most consequential fact for scoping has already resolved in defenders' favor: all five malicious versions have since been unpublished from the npm registry, which blocks new installations and narrows the remaining work to cleaning up existing footholds. What is not yet established is the AsyncAPI project's own formal communication — whether it has published a maintainer notice or post-incident writeup laying out the timeline and remediation. Because the reported entry point was push access to the release pipeline rather than a stolen npm token, the questions to watch are pipeline-shaped: how the push credential was obtained, what commits triggered the poisoned releases, and what controls the project adds to gate its trusted-publisher workflow. Those answers will determine whether this reads as a contained cleanup or the opening of a longer thread.

Open Questions

Several material facts remain unresolved at disclosure. No threat actor has been named, and the reporting explicitly declines to attribute the loader to the Miasma, Shai-Hulud, or related campaigns despite surface resemblances. The download totals of the specific compromised versions are not quantified, leaving the campaign's real-world reach unclear even though the affected package list is precise. And it is not established whether the AsyncAPI project has issued a formal maintainer-account or incident notice.

What is firm enough to act on is the shape of the incident: four named, compromised @asyncapi packages, confirmed by four vendors, observed distributing a multi-stage botnet loader, with all five malicious versions now pulled from npm. The reporting rests on the account carried by The Hacker News and the four vendors' analyses; the attribution, the download figures, and the project's response may all be refined as more detail emerges, but none of those gaps changes the inventory-and-scoping work in front of teams that depend on @asyncapi tooling.


The CyberSignal Analysis

The reported facts above come from the disclosure as carried by The Hacker News and the four confirming vendors; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts.

Signal 01 — Match the Named Versions, Then Scope by Execution

The advantage this disclosure hands defenders is precision: the affected versions are named, so the first pass is a verbatim match against lockfiles and a bill of materials. The second pass is the one teams tend to skip — determining which endpoints actually loaded an affected version, since a load-time trigger means presence in a lockfile is not the same as execution. The teams that respond fastest are the ones that can answer both questions from current inventory rather than reconstructing it under pressure. Treat any host that called into the compromised tooling as potentially exposed, and rotate credentials that lived on it.

Signal 02 — Provenance Is a Signal, Not a Guarantee

The detail we would dwell on is that the malicious versions carried valid provenance and were published through the project's own release pipeline. That is precisely the outcome trusted-publisher integrations are supposed to make hard, and it did not prevent this. The lesson is not that provenance is worthless — it meaningfully raises the bar — but that it attests to the build workflow, not to the legitimacy of the commits that triggered it. Defenders who lean on provenance as a pass/fail gate should pair it with review of what actually changed in a release and monitoring of the pipelines that mint attestations.

Signal 03 — Registry Removal Bounds This One; the Pipeline Question Doesn't Close

With all five versions unpublished, the exposure window for new installations is closed, which bounds this incident more tightly than many we track. Our assessment is that the open work has shifted from prevention to cleanup and to a narrower governance question: how a push credential reached a release pipeline, and how the AsyncAPI project hardens that path. The practical takeaway is to finish the inventory now while the details are fresh, watch for the project's post-incident notice, and treat the pipeline-compromise pattern — not the specific loader — as the reusable lesson.


Sources

TypeSource
ReportingThe Hacker News — Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware
PrimarySocket — AsyncAPI Supply Chain Attack
PrimaryStepSecurity — Compromised Next Branch Pushes Malicious @asyncapi Packages to npm
RelatedThe CyberSignal — 148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet
RelatedThe CyberSignal — Shai-Hulud Is Now Generating Valid Sigstore Provenance Badges
RelatedThe CyberSignal — npm Disables Install Scripts by Default for New Packages