Tuesday, 14 July 2026 · Europe
EUR/USD 1.141 EUR/GBP 0.8521 EUR/CHF 0.9257 EUR/PLN 4.338 All rates →
Sign in · Join
EUROPES The European Report
LATEST
Tech & Startups

AsyncAPI npm packages compromised in coordinated supply chain attack

AsyncAPI npm packages compromised in coordinated supply chain attack

A coordinated attack on official AsyncAPI release pipelines has distributed backdoored code through legitimate channels, threatening European businesses that rely on automated software dependencies.

Cloud security company Upwind has uncovered a coordinated campaign targeting the official release pipelines of AsyncAPI npm packages. Rather than exploiting a single weakness, attackers breached multiple GitHub repositories and abused different OpenID Connect publishing identities. This allowed them to distribute backdoored code through legitimate, trusted channels that developers assume are secure.

The attack methodology deliberately bypassed standard security monitoring tools. Malicious code executed during normal package imports rather than during the installation phase. By avoiding the preinstall or postinstall scripts traditionally associated with npm supply chain attacks, the threat actors ensured the backdoors triggered during routine application behavior. Upwind noted that while execution methods varied, the attackers repeatedly reused the same underlying infrastructure and malware patterns across the different compromised pipelines.

For European businesses, this incident undermines a fundamental assumption of modern software development. Companies routinely integrate open-source components through automated dependency management, trusting that official registries are safe. The AsyncAPI compromise proves that attackers can hijack the software release process itself, turning a standard dependency update into a severe corporate vulnerability.

The economic implications for affected organizations are significant. Any developer workstation or continuous integration and deployment (CI/CD) environment that imported these official packages is now considered potentially compromised. Investigating this requires diverting engineering resources from product development to security audits. Companies must also rotate any credentials accessible from those environments to prevent potential lateral movement by the attackers.

To mitigate these rising systemic risks, Upwind advises organizations to stop assuming current releases are inherently safe. Companies need to verify exact dependency versions and review their lockfiles and Software Bills of Materials for unexpected changes. Pinning dependencies to verified versions is now a necessary precaution as attacks on software distribution infrastructure continue to evolve.

More from Tech & Startups