ON July 14, 2026, a critical security incident occurred when malicious versions of three packages from the AsyncAPI generator monorepo were published to npm. The packages, namely @asyncapi/generator@3.3.1, @asyncapi/generator-helpers@1.1.1, and @asyncapi/generator-components@0.7.1, included an obfuscated dropper that activated upon library loading rather than installation, exploiting the project's GitHub Actions CI/CD process to publish through a compromised next branch.
The attack was characterized by a SIP-aware obfuscation process and the inclusion of a second-stage payload that could download further malicious files from IPFS. The incident highlighted the vulnerabilities of CI/CD pipelines and the importance of branch protection to prevent similar future breaches. StepSecurity's tools, such as Harden Runner and Secure Registry, could have mitigated the impact of this attack.