Developers often assume that packages published through official channels have passed through a secure release process. That assumption is fundamental to modern software development, where open source components are routinely integrated into applications through automated dependency management. A new investigation suggests that confidence can be challenged when attackers gain access to the systems responsible for publishing software.
Cloud security company Upwind has released findings from an investigation into a coordinated attack affecting multiple official AsyncAPI npm packages. According to the company, the activity extended beyond a single compromised package and instead involved multiple repositories and publishing pipelines, allowing malicious code to be distributed through legitimate release channels.
The investigation uncovered multiple points of compromise
Upwind’s research found that the campaign affected several parts of the AsyncAPI ecosystem.
Researchers confirmed that attackers compromised two separate GitHub repositories and later identified a second independent repository compromise. They also observed attacks against different release branches and the abuse of different OpenID Connect (OIDC) publishing identities within a relatively short timeframe.







