216.73.216.86

Supply Chain Compromise via GitHub Actions

· Published 14/07/2026 18:36

Export JSON

Essential information

Published
14/07/2026 18:36
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
asyncapi credential theft github actions ipfs m-red-team miasma nostr relay npm supply chain attack pwn request
Related entities
21 techniques (mitre), 2 malware

Description

On July 14, 2026, an attacker exploited a misconfigured workflow in the AsyncAPI generator repository through a 'pwn request' vulnerability. The attacker opened 37 pull requests, with one containing obfuscated JavaScript that exfiltrated a highly privileged Personal Access Token belonging to asyncapi-bot. Using the stolen credentials, the attacker published five malicious npm package versions under the @asyncapi namespace, which collectively receive over three million downloads weekly. The malware features a multi-stage payload that establishes persistence and connects to command and control infrastructure, executing on import rather than install. It includes capabilities for targeting browsers, SSH keys, cloud credentials, and cryptocurrency wallets. The payload shares technical characteristics with the malware framework but shows unique features including a comprehensive command framework.

External references