ShellCodeX
Tools • Events • News • Insights
ShellCodeX Intelligence Brief
CRITICAL Open Source

Malicious AsyncAPI npm package versions distribute a credential-stealing RAT

Source headline: AsyncAPI npm packages infected with credential-stealing malware

Threat level Critical
Signal strength 78/100
Source confidence 1 source
Published 8 hours ago

Intelligence Summary

Five compromised AsyncAPI npm packages were published on npm as part of a supply-chain incident. The malicious versions included a remote access trojan designed to steal sensitive information. Victims can be impacted when they install the tainted packages as dependencies in their Node.js projects. This can lead to credential and data exposure beyond the application itself. Maintainers should verify dependency versions, and developers should review package provenance and lockfiles.

Recommended Action

Prioritize immediate review, validate exposure, and patch or mitigate affected systems.

Topics

#supply-chain #malware #npm #nodejs #asyncapi #credential-stealing
Original reporting BleepingComputer AsyncAPI npm packages infected with credential-stealing malware
Open original source