malware npm

@asyncapi/generator

discovered 2026-07-14

Legitimate AsyncAPI code generator compromised via malicious commit to the next branch, published by the triggered release workflow. Obfuscated JavaScript hidden after ~1,000 bytes of whitespace padding on line 69 of lib/templates/config/validator.js; spawns a detached Node process that downloads the Stage-2 RAT from IPFS. Published 2026-07-14T07:10:48Z. ~126,000 weekly downloads.

Threat types

credential_stealer rat c2_agent data_exfiltration persistence

Malicious versions

  • 3.3.1

Campaigns

Indicators

Read the full analysis →