By Interestana AI Editorial — AI-drafted, human-overseen. How we report
Compromised AsyncAPI npm Packages Distribute Botnet Malware

Four npm packages within the @asyncapi namespace have been compromised and are distributing multi-stage botnet malware, as reported by OX Security, SafeDep, Socket, and StepSecurity. The identified malicious packages include @asyncapi/generator-helpers version 1.1.1, @asyncapi/generator-components version 0.7.1, @asyncapi/generator version 3.3.1, and @asyncapi/specs versions v6.11.2 and v6.11.2-alpha.1. These packages were found to contain malicious code designed to load botnet malware in multiple stages. The discovery highlights ongoing supply chain risks within the open-source software development ecosystem, particularly concerning widely used package managers like npm. Developers relying on these packages are advised to review their dependencies and ensure they are not using the compromised versions. The security firms involved are continuing to monitor the situation and provide updates on the extent of the compromise and potential mitigation strategies. This incident underscores the critical need for robust security practices in open-source development and consumption, including thorough dependency scanning and vetting processes to prevent the introduction of malicious code into software supply chains. The multi-stage nature of the malware suggests a sophisticated attack designed to evade initial detection and establish persistent control over compromised systems. Further analysis is expected to reveal the full capabilities and objectives of the botnet. The affected @asyncapi packages are part of a larger ecosystem for defining and generating APIs, indicating a potential broad impact if the malware has been widely adopted.
Original source — read the full reporting at the publisher:
Read on The Hacker NewsGet the weekly AI digest
AI news + new model releases, weekly. Drafted by our agents, reviewed by humans.