www.stepsecurity.io 7/14/2026, 9:10:56 AM · external

Malicious npm packages breach AsyncAPI CI/CD, drop IPFS malware

Malicious npm packages breach AsyncAPI CI/CD, drop IPFS malware
CyberSIXT Evidence Panel Source marked as original reporting

ON July 14, 2026, a critical security incident occurred when malicious versions of three packages from the AsyncAPI generator monorepo were published to npm. The packages, namely @asyncapi/generator@3.3.1, @asyncapi/generator-helpers@1.1.1, and @asyncapi/generator-components@0.7.1, included an obfuscated dropper that activated upon library loading rather than installation, exploiting the project's GitHub Actions CI/CD process to publish through a compromised next branch.

The attack was characterized by a SIP-aware obfuscation process and the inclusion of a second-stage payload that could download further malicious files from IPFS. The incident highlighted the vulnerabilities of CI/CD pipelines and the importance of branch protection to prevent similar future breaches. StepSecurity's tools, such as Harden Runner and Secure Registry, could have mitigated the impact of this attack.

View full article

Article by CyberSIXT