A supply chain attack on AsyncAPI npm packages has been disclosed, affecting four packages with over 2 million weekly downloads. The malware, which includes capabilities for info-stealing, crypto-theft, and remote access, was injected into packages widely used by developers. This sophisticated attack utilizes IPFS and BitTorrent for resilient communication and self-propagation.
Researchers advise users of the compromised versions to revoke npm, PyPI, and Cargo tokens and monitor for unauthorized changes in their packages. The attackers embedded the malicious code in the main JavaScript files, bypassing npm's security measures.