Five malicious versions of AsyncAPI packages were published to the Node Package Manager (npm) in a supply-chain attack that delivered a remote access trojan with info-stealing capabilities.
The threat actor exploited a misconfigured GitHub Actions workflow and pushed trojanized packages in the @asyncapi namespace that had a cummulative weekly download count of more than 2.25 million.
Multiple security companies confirmed that on July 14, an attacker compromised two AsyncAPI GitHub repositories and injected malware into project files.
