Malware Injected Into Packages With 2 Million Weekly Downloads


AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads

Pierluigi Paganini
July 15, 2026

AsyncAPI npm packages with 2M weekly downloads were compromised, spreading malware with info-stealing, crypto-theft and RAT capabilities.

OX Security researchers disclosed on July 14 that the AsyncAPI npm organization was compromised, with malicious code injected into four packages that together account for over 2 million weekly downloads. The affected versions are @asyncapi/generator 3.3.1, @asyncapi/generator-components 0.7.1, @asyncapi/generator-helpers 1.1.1, and @asyncapi/specs 6.11.2 and 6.11.2-alpha.1. AsyncAPI is widely used by developers building event-driven APIs, which means the blast radius here touches a broad cross-section of professional development environments.

“This is a highly sophisticated, multi-stage supply chain attack. The malware functions as a hybrid info-stealer, crypto-stealer, and Remote Access Trojan (RAT).” reads the report published by OX. “It actively attempts to confuse analysts by mimicking known campaigns (like Miasma) and targets developers and repository maintainers.”

OX describes what was injected as far more than a simple credential harvester. The malware payload runs to 91,973 lines of code. Whoever wrote this was not in a hurry.

The infrastructure choices are deliberate and designed for resilience. The malware uses IPFS, a legitimate peer-to-peer file storage network, to host its payload and as a fallback command-and-control server if the primary C2 at 85[.]137[.]53[.]71 becomes unavailable.

“The malware uses ipfs.io – a legitimate peer-to-peer network to store and share data – in order to store its malicious payload. Later on it uses it as a fallback server in case the C2 server is not functional.” OX explains. “The malware also uses a wide array of backup communication nodes and beacons to keep communication alive even after the C2 fails, and to bypass network-based blocks.”

Beyond IPFS, the malware maintains communication through BitTorrent bootstrap nodes including router.bittorrent.com, router.utorrent.com, and dht.transmissionbt.com, giving it multiple fallback paths if any single channel is blocked at the network level.

The self-propagation capability is what makes this particularly dangerous for developer environments. If the malware finds valid authentication tokens for npm, PyPI, or Cargo on the compromised machine, it attempts to publish itself into packages the victim maintains on those registries. One compromised developer account becomes a new distribution vector.

The researchers found an embedded Ethereum contract address, 0x12c37A86a0Ed0beBe5d1d6a43E42f07860eAc710, in the code, however, they were not able to fully determine how it’s used operationally.

The malware checks whether it’s running inside a virtual machine, whether an endpoint detection tool is present, and whether the system’s locale is set to Russian. If any of those conditions are true, it terminates. This is standard practice for malware that doesn’t want to infect its operators’ own machines or run inside a security researcher’s sandbox.

“Although the malware has some similarities to the Shai-Hulud and Miasma campaigns, and it contains the Miasma string multiple times inside its code, this malware isn’t the same as them, nor is it attributed to the Miasma/Shai-Hulud/TeamPCP campaigns that we’ve seen in the past.” states the report.

The Miasma references inside the code appear to be deliberate misdirection rather than a genuine connection, a tactic designed to send analysts chasing the wrong attribution trail.

npm’s version 12 introduced restrictions on post-install scripts, specifically to prevent malware from executing code at install time. The attackers here didn’t need that vector.

The malicious payload was injected directly into the main JavaScript file of each affected package, making it indistinguishable from legitimate code at install time and executable the moment the package is imported in a project.

If you use any of the affected package versions, the immediate steps are to revoke all developer tokens associated with npm, PyPI, and Cargo on any machine that may have run these packages, rotate secrets, and audit recent commits and package releases in your own registries for unauthorized changes. Monitor for unexpected outbound connections to BitTorrent bootstrap nodes or IPFS gateways on developer networks, as these are the malware’s communication channels and would be unusual in a typical development environment. Check whether any packages you maintain have had unauthorized versions published while the affected versions were in use on your machines.

“npm’s v12 is out, blocking post-install scripts, but threat actors didn’t need to use them as they just embedded the malicious code inside the main JavaScript file without being blocked.” concludes the report. “This amplifies the message we extensively discussed in npm Is Fighting the Right War With the Wrong Weapons – and we don’t see this trend changing anytime soon.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AsyncAPI)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


More than $18.4 Million Available to Expand HealthySteps, an Early Childhood Mental Health Initiative that Screened 108,000 New Yorkers for Maternal Depression in 2025

Office of Mental Health Awards $350,000 in ‘Collaborative Care’ Grants to Help OBGYN and Family Medicine Practices Provide Behavioral Health Support to Patients

New York State Announces Efforts to Bolster Maternal Mental Wellbeing

The New York State Office of Mental Health recently announced the availability of more than $18.4 million to expand HealthySteps, a successful early childhood mental health initiative that provides tens of thousands of critical depression screenings for new mothers annually. The agency also announced $350,000 in awards through the Collaborative Care program to help OBGYN and family medicine practices provide behavioral health support to their patients.

“It is critical that we focus on maternal mental health and develop the preventative services and supports for families in our state that address the long-standing inequities in care,” Office of Mental Health Commissioner Dr. Ann Sullivan said. “Initiatives like HealthySteps, Collaborative Care, Project TEACH and others are providing often life-saving screenings that are also connecting New Yorkers to both prenatal and postpartum supports. Under Governor Kathy Hochul’s leadership, we are increasing prevention services to improve outcomes and eliminating disparities in care.”

“I am grateful to Governor Hochul for her leadership in advancing maternal mental health initiatives in New York State that expand access to critical screenings and services,” Health Commissioner Dr. James McDonald said. “In recognition of Maternal Mental Health Awareness Week, we are reminded that every mother deserves compassion, support, and quality care. We remain committed to ensuring that all mothers feel supported, heard, and empowered.”

The state Office of Mental Health made available more than $18.4 million to continue expanding HealthySteps, an innovative program integrating behavioral health professionals with pediatric practices to provide early childhood mental and physical health care. The additional funding will provide 38 new awards to the 152 sites now funded, increasing statewide capacity of the program by about 25 percent once all are fully implemented.

HealthySteps pairs behavioral health specialists with pediatricians, who are often the first point-of-contact new caregivers have with the health care system. These specialists then serve as part of the primary care team during well visits, screening children and parents for a variety of concerns including behavioral health, developmental concerns and social determinants of health and family needs and then linking them to supports.

In 2025 alone, HealthySteps sites completed more than 108,000 screenings for perinatal depression, identifying cases and connecting parents to support when needed. Altogether, these sites conducted more than 500,000 screenings, helping to track food insecurity, housing instability, substance misuse, tobacco use, transportation, utility, and interpersonal safety.

In addition to the funding availability, OMH also awarded seven $50,000 one-time Collaborative Care grants to help OBGYN and family medicine practices implement evidence-based integrated healthcare for their patients and decrease racial disparities. Award recipients by region include:

Hudson Valley

New York City

  • Jamaica Hospital in Queens
  • Montefiore Medical Center in the Bronx
  • William F. Ryan Community Health Center, Inc., in Manhattan

Western New York

  • Jericho Road Ministries, Inc., in Buffalo
  • Neighborhood Health Center of WNY in Buffalo
  • Niagara Falls Memorial Medical Center in Niagara Falls

This funding will expand the psychiatric collaborative care model at these practices so they can increase perinatal depression and anxiety screenings and integrated treatment — a recommendation included in the state’s first-ever maternal mental health report. Directed by Governor Hochul and released by OMH in November, this report detailed the challenges pregnant and postpartum individuals are facing and made recommendations for improvements statewide.

Previously, Governor Hochul secured a $2.9 million increase to expand Project TEACH, an initiative that assists maternal health providers with screening and treatment of maternal depression and related mood and anxiety disorders during pregnancy and the postpartum period within their scope of practice. Adopted as part of the FY 2026 State Budget, the expansion has allowed a wider range of front-line practitioners – including doulas, midwives, therapists, WIC staff, home visiting nurses, lactation consultants, caseworkers and others working directly with the perinatal population – to obtain professional training and support in assessment for consultations with a reproductive psychiatrist or psychologist, and accessing resources.

Every year, an estimated 500,000 – about one in five – mothers in the United States experience perinatal mood and anxiety disorders during pregnancy or in the first year postpartum. About 75 percent of these individuals are not diagnosed or treated, which can lead to high-risk pregnancies, poor childhood cognitive development due to substance use, self-harm, or suicide.

View the original source here.



Source link