malware
npm
@asyncapi/generator
discovered 2026-07-14Legitimate AsyncAPI code generator compromised via malicious commit to the next branch, published by the triggered release workflow. Obfuscated JavaScript hidden after ~1,000 bytes of whitespace padding on line 69 of lib/templates/config/validator.js; spawns a detached Node process that downloads the Stage-2 RAT from IPFS. Published 2026-07-14T07:10:48Z. ~126,000 weekly downloads.
Threat types
credential_stealer rat c2_agent data_exfiltration persistence
Malicious versions
- 3.3.1