Key points and observations
- A commit to the
asyncapi/generatorGitHub repository (3eab3ec9304aa26081358330491d3cfeb55cc245) injected obfuscated JavaScript into source files across multiple packages - Four malicious versions were published to npm on 2026-07-14:
@asyncapi/generator@3.3.1@asyncapi/generator-components@0.7.1@asyncapi/generator-helpers@1.1.1@asyncapi/specs@6.11.2(also6.11.2-alpha.1)
- Combined pre-incident weekly download volume across these packages exceeds 3 million (
@asyncapi/specsalone accounts for ~2M/week), making this a high-exposure event. - As of this writing, no revert, deprecation, or maintainer advisory has been published for any of the four malicious versions. This is an active, unremediated incident.
Developing situation
This is a developing situation and we'll publish an in-depth analysis of this campaign in the coming hours.
How to know if you're affected
You're affected if you're using one of the following package versions:
| Package | Malicious version(s) |
|---|---|
@asyncapi/generator |
3.3.1 |
@asyncapi/generator-components |
0.7.1 |
@asyncapi/generator-helpers |
1.1.1 |
@asyncapi/specs |
6.11.2, 6.11.2-alpha.1 |
How Datadog can help
Datadog Code Security can identify hosts, containers, and build environments where the compromised version was installed. Use the following query in the Software Composition Analysis (SCA) to scope affected systems:
(@package.normalized_name:@asyncapi/generator @package.version:3.3.1)
OR (@package.normalized_name:@asyncapi/generator-components @package.version:0.7.1)
OR (@package.normalized_name:@asyncapi/generator-helpers @package.version:1.1.1)
OR (@package.normalized_name:@asyncapi/specs @package.version:(6.11.2 OR 6.11.2-alpha.1))