Five malicious versions of AsyncAPI packages were published to npm, delivering a remote access trojan capable of stealing credentials and sensitive data from developer systems.
The supply-chain attack compromised multiple AsyncAPI packages on the Node Package Manager registry, a critical distribution channel for JavaScript and Node.js developers. The malicious versions contained a remote access trojan with info-stealing capabilities, posing a direct threat to any developer who installed the affected packages.
AsyncAPI is a widely-used specification and tooling ecosystem for building event-driven APIs. The attack targeted the npm repository, where millions of developers download packages daily, making it an effective vector for distributing malware at scale.
The infected packages were designed to execute malicious code upon installation or runtime, potentially harvesting credentials, API keys, authentication tokens, and other sensitive information from compromised developer environments. This type of attack is particularly dangerous in supply-chain scenarios, as developers often run code from trusted sources without extensive security scrutiny.
Npm has since removed the malicious packages from its registry. Security researchers recommend developers immediately check their dependency versions and update to patched releases. Users who installed affected versions should assume their credentials and sensitive data may be compromised and should rotate any exposed API keys, tokens, and passwords.
This incident underscores growing risks in open-source software distribution. As development teams increasingly rely on third-party packages, attackers have shifted focus to compromising popular libraries and frameworks. Previous similar attacks have targeted other npm packages, including popular utilities and development tools.
Developers should implement stricter dependency management practices, including regular audits of installed packages, use of supply-chain security tools, and verification of package integrity. Many npm security platforms now flag suspicious package versions and metadata changes to help detect compromises earlier.
Federal prosecutors have unsealed a 2024 indictment charging three Russian nationals and two web hosting services with facilitating cyberattacks and money laundering that victimized cybercrime targets of $62 million.
A hacker accessed Suno's source code using stolen employee credentials, revealing that the AI music generator scraped decades of audio from YouTube to train its model.
Criminals can now clone voices with AI in mere seconds, outpacing traditional authentication defenses that banks and financial institutions rely on to prevent fraud.
Partnered Health, one of Australia's largest healthcare providers, has disclosed a cyber-attack affecting 21 clinics across Sydney, Melbourne, and Canberra. Personal information and medical records were compromised in the breach.