216.73.216.233

Unpacking the AsyncAPI npm supply chain compromise and import-time payload delivery

· Published 16/07/2026 08:59

Export JSON

Essential information

Published
16/07/2026 08:59
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
asyncapi bluerabbit gigawiper miasma npm compromise
Related entities
7 indicators, 1 observables, 23 techniques (mitre), 3 malware

Description

On July 14, 2026, a coordinated supply chain attack compromised the @asyncapi npm organization, affecting five package versions across four packages. The attack originated from a GitHub Actions workflow vulnerability that exposed privileged credentials, enabling unauthorized code injection. Unlike typical postinstall attacks, this campaign executes at module import time, bypassing common npm install --ignore-scripts protections. The malicious code spawned hidden processes that fetched a second-stage payload from IPFS, deploying the modular runtime with command-and-control capabilities, persistence mechanisms, and credential harvesting features. The payload included disabled modules for supply-chain propagation, AI-tool poisoning, and sandbox evasion. All compromised packages were published through legitimate GitHub OIDC workflows with valid provenance signatures, masking the malicious activity within trusted release processes.

External references