emerging threats and vulnerabilities

Compromised AsyncAPI packages on npm deliver malware

July 14, 2026

Compromised Asyncapi Packages On Npm Deliver Malware

Key points and observations

  • A commit to the asyncapi/generator GitHub repository (3eab3ec9304aa26081358330491d3cfeb55cc245) injected obfuscated JavaScript into source files across multiple packages
  • Four malicious versions were published to npm on 2026-07-14:
    • @asyncapi/generator@3.3.1
    • @asyncapi/generator-components@0.7.1
    • @asyncapi/generator-helpers@1.1.1
    • @asyncapi/specs@6.11.2 (also 6.11.2-alpha.1)
  • Combined pre-incident weekly download volume across these packages exceeds 3 million (@asyncapi/specs alone accounts for ~2M/week), making this a high-exposure event.
  • As of this writing, no revert, deprecation, or maintainer advisory has been published for any of the four malicious versions. This is an active, unremediated incident.

Developing situation

This is a developing situation and we'll publish an in-depth analysis of this campaign in the coming hours.

How to know if you're affected

You're affected if you're using one of the following package versions:

Package Malicious version(s)
@asyncapi/generator 3.3.1
@asyncapi/generator-components 0.7.1
@asyncapi/generator-helpers 1.1.1
@asyncapi/specs 6.11.2, 6.11.2-alpha.1

How Datadog can help

Datadog Code Security can identify hosts, containers, and build environments where the compromised version was installed. Use the following query in the Software Composition Analysis (SCA) to scope affected systems:

(@package.normalized_name:@asyncapi/generator @package.version:3.3.1)
OR (@package.normalized_name:@asyncapi/generator-components @package.version:0.7.1)
OR (@package.normalized_name:@asyncapi/generator-helpers @package.version:1.1.1)
OR (@package.normalized_name:@asyncapi/specs @package.version:(6.11.2 OR 6.11.2-alpha.1))

Did you find this article helpful?

Subscribe to the Datadog Security Digest

Get the latest insights from the cloud security community and Security Labs posts, delivered to your inbox monthly. No spam.

Related Content