AsyncAPI npm Packages Compromised via GitHub Actions Exploit

AsyncAPI npm Packages Compromised via GitHub Actions Exploit

First seen 14 Jul 2026, 14:06 UTC Aikido.DevWizCybersecuritynewsgithub.com 90% similarity 66.0

Article Content

Browse articles
ThreatCluster

On July 14, 2026, an attacker exploited a vulnerability in the AsyncAPI generator repository's GitHub Actions workflow, leading to the publication of five trojanized npm packages. The attacker stole an npm publish token through a pull_request_target workflow, allowing them to inject malicious code into the packages. These packages, which collectively have approximately 2.9 million weekly downloads, execute a multi-stage payload that establishes persistence and connects to command and control infrastructure upon import. The attack was facilitated by a known misconfiguration that grants access to repository secrets when executing untrusted code. Despite prior awareness of the vulnerability, a proposed fix remained unmerged for nearly two months. The malicious code is designed to exfiltrate sensitive information and execute arbitrary commands. The incident poses significant risks to developers and organizations using the affected packages.

Key Points: • Five trojanized npm packages published, affecting 2.9 million weekly downloads. • Exploitation of a GitHub Actions vulnerability allowed access to sensitive npm publish tokens. • Malicious payload establishes persistence and connects to command and control infrastructure.

ThreatCluster AI

Timeline

2026-05-17
Proposed fix for GitHub Actions vulnerability
A contributor opened a PR to address the pull_request_target workflow vulnerability, which remained unmerged until the attack.
Aikido.Dev
2026-07-14
Attacker opens 37 pull requests
At 05:08 UTC, the attacker opened multiple PRs, with one containing obfuscated JavaScript to exfiltrate npm publish tokens.
Wiz
2026-07-14
First compromised packages published
Using the stolen npm token, the attacker published the first malicious packages at 07:10 UTC.
Aikido.Dev
2026-07-14
Additional malicious versions published
The attacker pushed 11 commits to the asyncapi/spec-json-schemas repository, publishing two more malicious versions between 07:51 and 08:28 UTC.
Wiz

Community

Browse all →