Skip to content

Security advisory: malicious AsyncAPI package versions published (Miasma RAT) #72

Description

@kunalsingh-safedep

Security advisory from SafeDep. On 14 July 2026 an attacker published malicious, credential-stealing versions of four @asyncapi npm packages. Your dependency graph pulls in one of them. You are most likely safe. You are only exposed if your lockfile pins a malicious version below.

How it reaches you (from your GitHub dependency graph):

  • PaystackOSS/openapi@stoplight/spectral-cli@6.15.0@stoplight/spectral-rulesets@1.22.0@asyncapi/specs@6.9.0

Verify it yourself

Malicious → safe versions

  • @asyncapi/generator 3.3.13.3.0
  • @asyncapi/generator-helpers 1.1.11.1.0
  • @asyncapi/generator-components 0.7.10.7.0
  • @asyncapi/specs 6.11.26.11.1

What to do: grep your lockfile for the malicious versions. If none appear, pin the safe versions and you are done. If one appears, the payload dropped a sync.js backdoor and stole credentials, so rotate the build machine's npm, GitHub, SSH, and AWS tokens plus browser passwords.

Full analysis

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions