AsyncAPI npm packages hit by credential-stealing malware

Five malicious versions of AsyncAPI packages were slipped into the Node Package Manager (npm) registry, exposing developers to a supply-chain attack that installs a remote access trojan (RAT) with credential-stealing and information-harvesting capabilities.
Security researchers reported that the rogue packages—published under names like asyncapi-generator-web-api, asyncapi-generator-react-sdk, and others—contained obfuscated JavaScript designed to exfiltrate environment variables, browser data, and system information back to attacker-controlled servers. Once installed via npm install, the malware establishes persistence on the developer’s machine, allowing unauthorized remote access and further compromise of connected systems.
A familiar pattern, still effective
This incident mirrors a recurring threat vector in open-source ecosystems: attackers exploit the trust developers place in widely used package names to distribute malicious code. The AsyncAPI packages, which purport to assist with API documentation and generation, were likely chosen for their perceived legitimacy among backend and API-focused development teams. By piggybacking on a recognizable namespace, the attackers increased the chances of the packages being adopted without scrutiny.
What developers should check now
Users who installed any of the five flagged versions—including asyncapi-react-component, asyncapi-generator-web-api, asyncapi-generator-react-sdk, asyncapi-tools, and asyncapi-generator-filters—are advised to audit their environments immediately. Removal of the packages and a full credential reset are critical steps, as the malware is capable of harvesting stored passwords and authentication tokens. npm has since removed the malicious packages, but the broader lesson remains: supply-chain attacks continue to exploit gaps in package verification and transitive dependency chains.
Why it matters
Supply-chain attacks on npm remain a low-effort, high-impact strategy for cybercriminals, targeting both individual developers and organizations that rely on open-source libraries. The use of a RAT with credential-stealing features underscores how attackers are evolving beyond simple crypto-mining payloads to monetize compromised developer machines. For engineering teams, this highlights the need for stricter package provenance checks, automated scanning in CI/CD pipelines, and rapid response plans for when malicious code inevitably slips through.
Source: BleepingComputer. AI-assisted editorial synthesis — TechnoExpress.

