A major supply chain attack has compromised AsyncAPI npm packages that collectively receive over two million downloads per week, with attackers injecting malware into the widely used developer tools. The breach, reported by Security Affairs citing research from cybersecurity firm OX Security, underscores the growing threat to open-source software infrastructure.
According to the report, attackers breached the AsyncAPI npm organization and injected malicious code into multiple packages. Affected versions include @asyncapi/generator version 3.3.1 and @asyncapi/generator-components version 0.7.1. The malware, associated with threat actors tracked as TeamPCP and linked to families designated Miasma and Shai-Hulud, was designed to carry out data theft, cryptocurrency wallet hijacking, and remote access trojan operations.
This multi-pronged approach suggests attackers sought both immediate financial gain through crypto theft and persistent, covert access to compromised systems for broader infiltration.
The AsyncAPI ecosystem is widely used for designing and documenting event-driven architectures, making these packages integral to countless development pipelines. Security researchers warn that any team that pulled the affected versions during the attack window may be exposed to compromise.
In response to the incident, security experts recommend that development teams take immediate action. Teams should audit their dependency manifests and lockfiles for affected versions, update to patched releases, and adopt proactive supply chain security practices including pinning dependencies to verified versions, enforcing integrity checks in CI/CD pipelines, and monitoring for unauthorized changes.
The compromise highlights a systemic vulnerability in open-source development, where implicit trust in established packages can be exploited for large-scale attacks. As open-source software remains fundamental to modern development workflows, this incident reinforces the need for rigorous, proactive supply chain security measures.
一宗大規模供應鏈攻擊已入侵每週合計接收超過兩百萬次下載的 AsyncAPI npm 套件,攻擊者將惡意軟件注入這些廣泛使用的開發者工具。據 Security Affairs 引用網絡安全公司 OX Security 研究報告指出,此事件凸顯開源軟件基礎設施面臨日益嚴重的威脅。
報告指出,攻擊者入侵 AsyncAPI npm 組織後,將惡意代碼注入多個套件。受影響版本包括 @asyncapi/generator 3.3.1 及 @asyncapi/generator-components 0.7.1。該惡意軟件與被追蹤為 TeamPCP 的威脅行為者相關,並連結至被命名為 Miasma 及 Shai-Hulud 的惡意軟件家族,旨在執行資料竊取、加密貨幣錢包劫持及遠端存取木馬操作。
這種多管齊下的攻擊策略顯示,攻擊者既追求透過加密貨幣竊取獲得即時經濟利益,也圖謀對被入侵系統進行持久、隱蔽的訪問以實現更廣泛的滲透。
AsyncAPI 生態系統廣泛應用於設計及記錄事件驅動架構,使這些套件成為無數開發流水線不可或缺的組成部分。安全研究人員警告,任何在攻擊窗口期間拉取受影響版本的團隊都可能面臨入侵風險。
針對此事件,安全專家建議開發團隊立即採取行動。團隊應審核其依賴項清單及鎖定文件以識別受影響版本,更新至已修補的版本,並採取主動的供應鏈安全措施,包括將依賴項固定至已驗證版本、在 CI/CD 流水線中強制執行完整性檢查,以及監控未經授權的更改。
此次入侵凸顯開源開發中的系統性漏洞,對已建立套件的隱含信任可能被利用進行大規模攻擊。隨著開源軟件仍然是現代開發工作流程的基石,此事件強化了實施嚴格、主動供應鏈安全措施的必要性。
