Security advisory from SafeDep. On 14 July 2026 an attacker published malicious, credential-stealing versions of four @asyncapi npm packages. Your dependency graph pulls in one of them. You are most likely safe. You are only exposed if your lockfile pins a malicious version below.
How it reaches you (from your GitHub dependency graph):
storm-software/stormstack → @asyncapi/generator@^1.10.14
storm-software/stormstack → @asyncapi/generator@^1.10.14
storm-software/stormstack → @eventcatalog/plugin-doc-generator-asyncapi@0.3.5 → @asyncapi/parser@1.18.1 → @asyncapi/specs@4.3.1
storm-software/stormstack → @asyncapi/generator@1.13.1
storm-software/stormstack → @asyncapi/generator@1.13.1 → @asyncapi/parser@2.1.0 → @asyncapi/specs@5.1.0
storm-software/stormstack → @asyncapi/parser@3.0.0-next-major-spec.3 → @asyncapi/specs@6.0.0-next-major-spec.8
Verify it yourself
Malicious → safe versions
@asyncapi/generator 3.3.1 → 3.3.0
@asyncapi/generator-helpers 1.1.1 → 1.1.0
@asyncapi/generator-components 0.7.1 → 0.7.0
@asyncapi/specs 6.11.2 / 6.11.2-alpha.1 → 6.11.1
What to do: grep your lockfile for the malicious versions. If none appear, pin the safe versions and you are done. If one appears, the payload dropped a sync.js backdoor and stole credentials, so rotate the build machine's npm, GitHub, SSH, and AWS tokens plus browser passwords.
Full analysis: https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/
Security advisory from SafeDep. On 14 July 2026 an attacker published malicious, credential-stealing versions of four
@asyncapinpm packages. Your dependency graph pulls in one of them. You are most likely safe. You are only exposed if your lockfile pins a malicious version below.How it reaches you (from your GitHub dependency graph):
storm-software/stormstack→@asyncapi/generator@^1.10.14storm-software/stormstack→@asyncapi/generator@^1.10.14storm-software/stormstack→@eventcatalog/plugin-doc-generator-asyncapi@0.3.5→@asyncapi/parser@1.18.1→@asyncapi/specs@4.3.1storm-software/stormstack→@asyncapi/generator@1.13.1storm-software/stormstack→@asyncapi/generator@1.13.1→@asyncapi/parser@2.1.0→@asyncapi/specs@5.1.0storm-software/stormstack→@asyncapi/parser@3.0.0-next-major-spec.3→@asyncapi/specs@6.0.0-next-major-spec.8Verify it yourself
Malicious → safe versions
@asyncapi/generator3.3.1→3.3.0@asyncapi/generator-helpers1.1.1→1.1.0@asyncapi/generator-components0.7.1→0.7.0@asyncapi/specs6.11.2/6.11.2-alpha.1→6.11.1What to do: grep your lockfile for the malicious versions. If none appear, pin the safe versions and you are done. If one appears, the payload dropped a
sync.jsbackdoor and stole credentials, so rotate the build machine's npm, GitHub, SSH, and AWS tokens plus browser passwords.Full analysis: https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/