THREATOPS
THREAT OPSThreat News › Compromised AsyncAPI packages on npm deliver malware

Compromised AsyncAPI packages on npm deliver malware

lowdatadog_seclabsPublished 2026-07-14

A commit to the AsyncAPI generator GitHub repository injected obfuscated JavaScript into four npm packages with a combined weekly download volume of over 3 million. Here's what we know and how to check if you're affected.

MITRE ATT&CK techniques

Original source: https://securitylabs.datadoghq.com/articles/compromised-asyncapi-npm-packages/