Home / Jul 16, 2026 / Story
0
#9 The Hacker News general July 15, 2026 at 09:16 UTC

Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware

By [email protected] (The Hacker News)

AI Summary

Four packages in the @asyncapi npm namespace — including @asyncapi/[email protected] and @asyncapi/specs versions 6.11.2 and 6.11.2-alpha.1 — were compromised in a supply chain attack delivering a multi-stage botnet loader, according to joint findings from OX Security, SafeDep, Socket, and StepSecurity. The AsyncAPI toolchain is widely used in event-driven API development, making downstream exposure significant for enterprise JavaScript/Node.js environments. Developers using these packages should audit their dependency trees and rotate any secrets accessible from affected build environments.

Relevance score: 78.0/100

# More from July 16