Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware
By [email protected] (The Hacker News)
AI Summary
Four packages in the @asyncapi npm namespace — including @asyncapi/[email protected] and @asyncapi/specs versions 6.11.2 and 6.11.2-alpha.1 — were compromised in a supply chain attack delivering a multi-stage botnet loader, according to joint findings from OX Security, SafeDep, Socket, and StepSecurity. The AsyncAPI toolchain is widely used in event-driven API development, making downstream exposure significant for enterprise JavaScript/Node.js environments. Developers using these packages should audit their dependency trees and rotate any secrets accessible from affected build environments.
Relevance score: 78.0/100
Expert cybersecurity solutions to safeguard your organization from evolving threats.
Get Protected →