Skip to content
Tech News
← Back to articles

​ ​AsyncAPI npm packages infected with credential-stealing malware

read original more articles

Five malicious versions of AsyncAPI packages were published to the Node Package Manager (npm) in a supply-chain attack that delivered a remote access trojan with info-stealing capabilities.

The threat actor exploited a misconfigured GitHub Actions workflow and pushed trojanized packages in the @asyncapi namespace that had a cummulative weekly download count of more than 2.25 million.

Multiple security companies confirmed that on July 14, an attacker compromised two AsyncAPI GitHub repositories and injected malware into project files.

“Both attacks are CI/CD pipeline compromises, not stolen npm tokens or malicious maintainers,” reads a report from Step Security.

The researchers explain that "the attacker pushed commits under a placeholder git identity and let each repository's real release workflow do the publishing via npm's GitHub OIDC trusted-publisher integration."

In doing so, the attacker ensured that the resulting packages had the legitimate SLSA provenance attestations, indicating that they originated from an authorized workflow.

The malicious AsyncAPI packages pushed to npm are:

Application security company Socket notes that the first-stage implant in the published packages is an obfuscated JavaScript statement that ultimately triggers a downloader when the infected file is imported.

A second-stage script, which contains configuration details and the main runtime, is retrieved from the IPFS peer-to-peer content delivery network and launched as a hidden process.

Cloud and application security company Wiz says that the third-stage payload "is a 92,000-line malware framework with modular architecture," which establishes persistence on the system and communicates with the command-and-control (C2) server over several channels: HTTP, Nostr relays, Ethereum smart contracts, and a libp2p mesh network.

... continue reading