Security advisory from SafeDep. On 14 July 2026 an attacker published malicious, credential-stealing versions of four @asyncapi npm packages. Your dependency graph pulls in one of them. You are most likely safe. You are only exposed if your lockfile pins a malicious version below.
How it reaches you (from your GitHub dependency graph):
asyncapi/nodejs-template → @asyncapi/parser@3.0.10 → @asyncapi/specs@6.7.1
asyncapi/nodejs-template → @asyncapi/generator@1.17.25
asyncapi/nodejs-template → @asyncapi/parser@2.1.2 → @asyncapi/specs@5.1.0
Verify it yourself
Malicious → safe versions
@asyncapi/generator 3.3.1 → 3.3.0
@asyncapi/generator-helpers 1.1.1 → 1.1.0
@asyncapi/generator-components 0.7.1 → 0.7.0
@asyncapi/specs 6.11.2 / 6.11.2-alpha.1 → 6.11.1
What to do: grep your lockfile for the malicious versions. If none appear, pin the safe versions and you are done. If one appears, the payload dropped a sync.js backdoor and stole credentials, so rotate the build machine's npm, GitHub, SSH, and AWS tokens plus browser passwords.
Full analysis: https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/
Security advisory from SafeDep. On 14 July 2026 an attacker published malicious, credential-stealing versions of four
@asyncapinpm packages. Your dependency graph pulls in one of them. You are most likely safe. You are only exposed if your lockfile pins a malicious version below.How it reaches you (from your GitHub dependency graph):
asyncapi/nodejs-template→@asyncapi/parser@3.0.10→@asyncapi/specs@6.7.1asyncapi/nodejs-template→@asyncapi/generator@1.17.25asyncapi/nodejs-template→@asyncapi/parser@2.1.2→@asyncapi/specs@5.1.0Verify it yourself
Malicious → safe versions
@asyncapi/generator3.3.1→3.3.0@asyncapi/generator-helpers1.1.1→1.1.0@asyncapi/generator-components0.7.1→0.7.0@asyncapi/specs6.11.2/6.11.2-alpha.1→6.11.1What to do: grep your lockfile for the malicious versions. If none appear, pin the safe versions and you are done. If one appears, the payload dropped a
sync.jsbackdoor and stole credentials, so rotate the build machine's npm, GitHub, SSH, and AWS tokens plus browser passwords.Full analysis: https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/