Overview
- Security teams disclosed on July 15, 2026 that four @asyncapi package versions were published with an injected dropper that runs when the module is loaded and then downloads an encrypted second‑stage loader from IPFS.
- The loader unpacks a large, modular command framework that supports six independent command‑and‑control channels, includes persistence and evasion checks, and can steal credentials and attempt to publish to npm, PyPI, and Cargo if tokens are found.
- Researchers traced the publishing vector to attackers who gained push access and triggered the project's legitimate GitHub Actions release pipeline using OIDC provenance, meaning no npm token was stolen and signed attestations do not prove commit legitimacy.
- All malicious package versions have been unpublished from npm and investigators advise treating any machine that loaded the affected versions as potentially compromised, rotating and revoking developer tokens, auditing commits and releases, and hunting for outbound IPFS or BitTorrent traffic.
- The incident highlights a gap in supply‑chain defenses because code that executes at require()/import time bypasses npm post‑install restrictions and shows that provenance attestations cannot replace hardened CI controls, branch protection, and egress filtering.