Aikido.Dev
AsyncAPI npm Packages Compromised via GitHub Actions Exploit
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
On July 14, 2026, an attacker exploited a vulnerability in the AsyncAPI generator repository's GitHub Actions workflow, leading to the publication of five trojanized npm packages. The attacker stole an npm publish token through a pull_request_target workflow, allowing them to inject malicious code into the packages. These packages, which collectively have approximately 2.9 million weekly downloads, execute a multi-stage payload that establishes persistence and connects to command and control infrastructure upon import. The attack was facilitated by a known misconfiguration that grants access to repository secrets when executing untrusted code. Despite prior awareness of the vulnerability, a proposed fix remained unmerged for nearly two months. The malicious code is designed to exfiltrate sensitive information and execute arbitrary commands. The incident poses significant risks to developers and organizations using the affected packages.
Key Points: • Five trojanized npm packages published, affecting 2.9 million weekly downloads. • Exploitation of a GitHub Actions vulnerability allowed access to sensitive npm publish tokens. • Malicious payload establishes persistence and connects to command and control infrastructure.