Type
Campaign
Actors
Pub. date
July 14, 2026
Initial access
Supply chain vector
Impact
Supply chain attack
Observed techniques
Status
Finalized
Last edited
Jul 15, 2026 1:59 PM
On July 14, 2026, an attacker opened 37 pull requests to the AsyncAPI generator repository. Almost all attempted to add a fake charity donation page. Camouflage in the noise, a single PR exploited a misconfigured GitHub Actions workflow to steal a highly privileged Personal Access Token.
Four malicious npm packages (five total versions) were published under the @asyncapi namespace. The packages contain a multi-stage payload that establishes persistence and connects to command and control infrastructure. Combined, these packages see over three million downloads a week. In this case, the payload executes on import/require, not install.