Upwind links compromise of multiple AsyncAPI npm packages to coordinated attack on software release process


Upwind links compromise of multiple AsyncAPI npm packages to coordinated attack on software release process Image by: Upwind

Developers often assume that packages published through official channels have passed through a secure release process. That assumption is fundamental to modern software development, where open source components are routinely integrated into applications through automated dependency management. A new investigation suggests that confidence can be challenged when attackers gain access to the systems responsible for publishing software.

Cloud security company Upwind has released findings from an investigation into a coordinated attack affecting multiple official AsyncAPI npm packages. According to the company, the activity extended beyond a single compromised package and instead involved multiple repositories and publishing pipelines, allowing malicious code to be distributed through legitimate release channels.

The investigation uncovered multiple points of compromise

Upwind’s research found that the campaign affected several parts of the AsyncAPI ecosystem.

Researchers confirmed that attackers compromised two separate GitHub repositories and later identified a second independent repository compromise. They also observed attacks against different release branches and the abuse of different OpenID Connect (OIDC) publishing identities within a relatively short timeframe.

Taken together, those findings suggest the attackers gained access to multiple publishing pipelines rather than exploiting a single weakness in the release process.

The investigation concludes that the operation represented a coordinated campaign aimed at the software release process itself instead of a one-off package compromise.

Malicious code arrived through expected workflows

One aspect of the campaign that drew researchers’ attention was how the malicious code was executed after the compromised packages were used.

According to Upwind, the attackers moved away from techniques commonly associated with npm supply chain attacks. Instead of using preinstall or postinstall scripts, the malicious code executed during normal package imports or through alternative execution paths.

Because those actions occurred as part of expected application behavior, the activity would be more difficult to identify using security tools that focus primarily on monitoring package installation.

Researchers also observed that while execution methods varied across the campaign, the attackers repeatedly reused the same infrastructure and malware patterns across the compromised repositories and publishing pipelines.

The implications extend beyond package maintainers

The affected packages were published through official channels and appeared legitimate to organizations relying on standard dependency management practices.

That means the impact was not limited to the repositories themselves. Upwind said developer workstations and CI/CD environments that imported the affected packages should be treated as potentially compromised because the malicious code was designed to execute during routine package usage.

“This wasn’t just a malicious package -it was a compromise of trust,” said Amiram Shachar, CEO and Co-Founder of Upwind. “Multiple official AsyncAPI packages were published with backdoored code from separate repositories and publishing pipelines, showing that attackers are increasingly targeting the software release process itself.”

The findings underscore how attacks against software distribution can affect downstream users even when they obtain packages from legitimate sources.

Reviewing dependencies after the incident

Following the investigation, Upwind recommends that organizations review whether affected package versions entered their development environments.

The company advises verifying exact dependency versions instead of assuming current releases are safe. It also recommends pinning dependencies to verified versions and reviewing dependency updates, lockfiles, and Software Bills of Materials (SBOMs) for unexpected changes.

Organizations should also consider developer workstations and CI/CD runners that imported the affected packages as potentially compromised and rotate any credentials that were accessible from those environments.

Visibility across the development lifecycle

Upwind says the investigation demonstrates why monitoring software throughout the development lifecycle is becoming increasingly important. As attackers move away from techniques that execute during installation and instead trigger malicious code during normal application behavior, organizations need visibility into software after it has been introduced into development environments.

The company said it continues to monitor the campaign while encouraging organizations to strengthen software supply chain security practices as attacks targeting software release processes continue to evolve.

Get the TNW newsletter

Get the most important tech news in your inbox each week.