ON July 14, 2026, Microsoft discovered a coordinated supply chain attack affecting the @asyncapi npm organization. Malicious versions of five packages were republished, embedding a harmful loader that activated during module imports, bypassing typical npm safeguards. This allowed the attackers to execute injected code immediately when these packages were imported in various environments, leading to potential data exfiltration and unauthorized access.
The attack stemmed from an exploit of a misconfigured GitHub Actions workflow, which gave attackers unauthorized access to a privileged bot token. This facilitated the injection of malicious code into the packages, which were then published under a valid provenance. Microsoft Defender has put protections in place to identify and neutralize these threats, urging organizations to remove compromised versions and rotate credentials. Detailed guidance on mitigation is provided, emphasizing the need for careful monitoring and swift response to ensure security.