Skip to content

Security advisory: malicious AsyncAPI package versions published (Miasma RAT) #385

Description

@kunalsingh-safedep

Security advisory from SafeDep. On 14 July 2026 an attacker published malicious, credential-stealing versions of four @asyncapi npm packages. Your dependency graph pulls in one of them. You are most likely safe. You are only exposed if your lockfile pins a malicious version below.

How it reaches you (from your GitHub dependency graph):

  • asyncapi/nodejs-template@asyncapi/parser@3.0.10@asyncapi/specs@6.7.1
  • asyncapi/nodejs-template@asyncapi/generator@1.17.25
  • asyncapi/nodejs-template@asyncapi/parser@2.1.2@asyncapi/specs@5.1.0

Verify it yourself

Malicious → safe versions

  • @asyncapi/generator 3.3.13.3.0
  • @asyncapi/generator-helpers 1.1.11.1.0
  • @asyncapi/generator-components 0.7.10.7.0
  • @asyncapi/specs 6.11.2 / 6.11.2-alpha.16.11.1

What to do: grep your lockfile for the malicious versions. If none appear, pin the safe versions and you are done. If one appears, the payload dropped a sync.js backdoor and stole credentials, so rotate the build machine's npm, GitHub, SSH, and AWS tokens plus browser passwords.

Full analysis: https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions