[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvht2d8v77ypXN0oIpTiAqQTTCYSDlVzgwBCLZEpw66o":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":30,"category":31,"article_tags":35},"efe6fead-8844-4df3-ac38-a89bb73f2e50","Upwind Finds Coordinated Supply Chain Campaign Compromising Multiple AsyncAPI npm Packages","upwind-finds-coordinated-supply-chain-campaign-compromising-multiple-asyncapi-np-83e913","Upwind links compromised AsyncAPI npm packages to a coordinated supply chain attack spanning repositories, publishing pipelines, and developer systems at risk.","Upwind has uncovered a coordinated supply chain attack targeting multiple official AsyncAPI npm packages. The attackers compromised GitHub repositories and publishing pipelines, distributing malicious code through trusted channels. The malware was embedded to execute during normal package imports, evading traditional security measures and posing a risk to developer workstations and CI\u002FCD environments.","Upwind reports a coordinated supply chain attack compromising multiple AsyncAPI npm packages.","SecurityUpwind Finds Coordinated Supply Chain Campaign Compromising Multiple AsyncAPI npm Packages Upwind links compromised AsyncAPI npm packages to a coordinated supply chain attack spanning repositories, publishing pipelines, and developer systems at risk. byOwais SultanJuly 14, 20263 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening Software supply chains have become an increasingly attractive target for attackers because a single compromise can ripple across countless development environments. Instead of breaking into individual organizations, threat actors are increasingly seeking access to the trusted infrastructure used to distribute software, allowing malicious code to spread through legitimate channels. New research from Upwind offers another example of that shift. The cloud security company disclosed findings from an investigation into a coordinated attack that affected multiple official AsyncAPI npm packages, revealing compromises across repositories and publishing pipelines rather than a single isolated package. An attack that reached beyond one repository Upwind’s investigation found that the campaign impacted multiple components of the AsyncAPI ecosystem. Researchers confirmed that attackers compromised two separate GitHub repositories while also identifying a second independent repository compromise. According to the company, the attackers targeted different release branches and abused different OpenID Connect (OIDC) publishing identities over a short period, demonstrating access to multiple publishing pipelines. The activity suggests a coordinated operation aimed at the software release process itself instead of a one-time package compromise. By targeting trusted publishing infrastructure, attackers were able to distribute malicious code through official channels that developers would normally consider reliable. Malicious code hidden in normal application behavior One of the investigation’s key findings was the way the malicious code was executed. Rather than depending on familiar preinstall or postinstall scripts commonly associated with npm attacks, the attackers embedded code that executed during normal package imports or through alternative execution paths. This approach allows malicious activity to occur during expected application behavior instead of package installation, making it more difficult for conventional security tools to identify suspicious actions. Upwind also observed that the attackers varied their execution techniques throughout the campaign. Even as those methods changed, researchers found consistent use of the same infrastructure and malware patterns across the compromised repositories and publishing pipelines, indicating that the activity was part of a single coordinated effort. Risks for development environments Because the compromised packages were published through official channels, developers using routine dependency management practices could unknowingly introduce malicious code into their environments. According to Upwind, the threat extends to both developer workstations and CI\u002FCD environments where the affected packages were imported. Since the packages appeared legitimate, organizations may not immediately recognize that their development infrastructure has been exposed. “This wasn’t just a malicious package -it was a compromise of trust,” said Amiram Shachar, CEO and Co-Founder of Upwind. “Multiple official AsyncAPI packages were published with backdoored code from separate repositories and publishing pipelines, showing that attackers are increasingly targeting the software release process itself.” Reviewing the software supply chain In response to its findings, Upwind recommends that organizations review their software supply chains and determine whether affected package versions were introduced into development environments. The company advises security teams to verify the specific package versions currently in use, pin dependencies to trusted releases, and inspect recent dependency updates, lockfiles, and Software Bills of Materials (SBOMs) for unexpected changes. Upwind also recommends treating developer workstations and CI\u002FCD runners that imported the affected packages as potentially compromised. Credentials that were accessible from those systems should be rotated to reduce potential risk. Visibility beyond package installation The investigation highlights an important challenge for organizations securing modern development pipelines. As attackers continue targeting trusted publishing infrastructure, monitoring package installation alone may not provide enough visibility to identify malicious activity. Upwind says organizations should complement traditional software supply chain protections with runtime visibility and continuous monitoring capable of detecting suspicious behavior during application execution. As software development workflows become more automated and interconnected, understanding what packages do after they are imported is becoming an increasingly important part of defending the software supply chain. The company said it continues to monitor the campaign while encouraging organizations to strengthen their software supply chain security practices against similar attacks. AsyncAPICyber AttackCybersecurityNPMSupply ChainUpwindVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security 68% of US Websites Exposed to Bot Attacks The conclusion was reached after researchers evaluated over 9,500 of the largest transactional websites in terms of traffic,… byDeeba Ahmed Read More Security Phishing Scam Bodybuilding.com suffers data breach; issues password reset for all users Bodybuilding.com will contact all former and current users – The website has over seven million registered users. The… byUzair Amir Read More Security Domestic violence assistance app breached placing victims at risk The app provides news stories sourced from Yahoo and is focused on... bySudais Asif Read More News Security Technology TikTok Denies Data Breach After Hackers Claim Stealing 2 Billion Records (Updated) Reports of the supposed hacking of TikTok appeared on September 3rd, 2022 on the Breach Forums which surfaced as an alternative to popular and now-sized Raidforums. byDeeba Ahmed","https:\u002F\u002Fhackread.com\u002Fupwind-supply-chain-compromise-asyncapi-npm-packages\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F07\u002Fupwind-supply-chain-compromise-asyncapi-npm-packages.png","2026-07-14T17:31:15+00:00","2026-07-14T18:00:03.960408+00:00",8,[18,21,24,26,28],{"name":19,"type":20},"Upwind","vendor",{"name":22,"type":23},"npm","technology",{"name":25,"type":23},"AsyncAPI",{"name":27,"type":23},"GitHub",{"name":29,"type":23},"OpenID Connect","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":30,"icon":32,"name":33,"slug":34},null,"Supply Chain","supply-chain",[36,38,43,48],{"category":37},{"id":30,"icon":32,"name":33,"slug":34},{"category":39},{"id":40,"icon":32,"name":41,"slug":42},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":44},{"id":45,"icon":32,"name":46,"slug":47},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":49},{"id":50,"icon":32,"name":51,"slug":52},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[]]