
Open source software has become a cornerstone of modern application development, but it has also expanded the number of places where attackers can attempt to insert malicious code. As software delivery becomes more automated, security incidents increasingly involve the systems that build and distribute software rather than the applications themselves.
That trend is reflected in new research from Upwind, which investigated a coordinated software supply chain attack involving multiple official AsyncAPI npm packages. The company’s findings indicate that attackers compromised multiple repositories and publishing pipelines, enabling malicious code to be released through legitimate distribution channels.
A broader compromise than a typical package attack
Many software supply chain incidents revolve around a single compromised package. Upwind’s investigation, however, found evidence of a campaign that reached multiple parts of the AsyncAPI ecosystem.
Researchers confirmed that two GitHub repositories had been compromised during the operation. They also identified a second independent repository compromise, showing that attackers gained access to more than one publishing pipeline.
According to the company, the attackers targeted different release branches while abusing different OpenID Connect (OIDC) publishing identities within a short period. The combination of these activities suggests a coordinated campaign rather than unrelated compromises.
By compromising multiple release processes, the attackers were able to distribute backdoored packages through official publishing channels that developers routinely rely on.
Malicious behavior occurred after installation
The investigation also documented a notable change in execution techniques.
Rather than using preinstall or postinstall scripts, the malicious code was designed to execute during normal package imports or through alternative execution paths. Because the code ran during expected application workflows, it would be less likely to trigger security tools that primarily monitor package installation.
Researchers observed several execution methods throughout the campaign. Even with those variations, they identified recurring infrastructure and malware patterns across the compromised repositories and publishing pipelines, linking the incidents to the same coordinated operation.
Development environments were placed at risk
According to Upwind, the compromised packages appeared legitimate because they originated from official publishing channels. Organizations relying on standard dependency management practices therefore had little reason to suspect that the software had been altered.
The company said developer workstations and CI/CD environments that imported the affected packages should be considered potentially compromised, as the malicious code was designed to execute during routine package use rather than through an obvious installation event.
“This wasn’t just a malicious package -it was a compromise of trust,” said Amiram Shachar, CEO and Co-Founder of Upwind. “Multiple official AsyncAPI packages were published with backdoored code from separate repositories and publishing pipelines, showing that attackers are increasingly targeting the software release process itself.”
Recommended response
Based on its investigation, Upwind recommends that organizations determine whether affected package versions entered their development environments.
The company advises verifying the precise versions of dependencies currently in use, pinning dependencies to verified and trusted releases, and reviewing dependency updates, lockfiles, and Software Bills of Materials (SBOMs) for unexpected changes.
Organizations should also treat developer workstations and CI/CD runners that imported the affected packages as potentially compromised and rotate credentials that were accessible from those systems.
Strengthening software supply chain security
The investigation illustrates how software supply chain attacks continue to evolve alongside modern development practices. As attackers increasingly target release processes and modify how malicious code executes, organizations face new challenges in identifying compromised software before it affects development environments.
Upwind said it continues to monitor the campaign and recommends that organizations strengthen software supply chain security with runtime visibility and continuous monitoring throughout the software development lifecycle. According to the company, these capabilities can help identify malicious behavior that may not be detected during package installation or through static code analysis.