Introduction
A critical supply-chain compromise has hit the Node.js ecosystem. Security researchers have identified five malicious versions of the popular AsyncAPI packages published to the official npm registry. These packages are not merely typosquats; they are instrumented with a fully functional Remote Access Trojan (RAT) featuring credential-stealing capabilities.
For organizations leveraging AsyncAPI for event-driven architecture, this is a high-severity event. Installation of these tainted packages results in immediate compromise of the developer workstation or CI/CD runner, providing attackers with remote access and the ability to siphon authentication tokens, keys, and system metadata. Defenders must act immediately to identify and eradicate these dependencies before credential material is exfiltrated.
Technical Analysis
Affected Products & Platforms:
- Platform: Node.js (cross-platform: Windows, Linux, macOS)
- Registry: npm (npmjs.com)
- Packages: AsyncAPI (specific malicious versions identified in the vendor advisory)
Threat Mechanics: This attack vector relies on the inherent trust developers place in the npm ecosystem. The malicious packages contain a Remote Access Trojan (RAT) obfuscated within the package code.
-
Attack Chain:
- Compromise: Attacker publishes malicious version of AsyncAPI.
- Execution: Developer or build pipeline runs
npm install. - Trigger: The package executes a
postinstallscript (a standard lifecycle hook in npm). - Payload: The script decrypts and launches the RAT binary/embedded code.
- C2 & Exfil: The RAT establishes a reverse shell or HTTP beacon to a Command & Control (C2) server and begins scraping environment variables (
.env), SSH keys, and browser credentials.
-
Exploitation Status: Confirmed active exploitation. The packages are live on the registry, and installation results in immediate code execution. No CVE has been assigned as this is malicious code injection rather than a software vulnerability, but the impact is equivalent to a critical RCE.
Detection & Response
The following detection logic focuses on identifying the behavioral anomalies of a Node.js package spawning a shell or RAT—a highly suspicious activity for a library dependency.
Sigma Rules
---
title: Suspicious Node.js Child Process - Potential Supply Chain RAT
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects Node.js spawning cmd.exe, powershell.exe, or bash, indicative of a malicious package executing a payload or RAT.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.003
- attack.t1059.004
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\node.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
filter_legit_devtools:
CommandLine|contains:
- 'npm'
- 'yarn'
- 'webpack'
- 'vite'
condition: selection and not filter_legit_devtools
falsepositives:
- Legitimate build scripts utilizing system shells
level: high
---
title: AsyncAPI Malicious Package Installation Attempt
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects execution of npm install command targeting specific AsyncAPI versions associated with the supply chain attack (Generic heuristic for rapid response).
references:
- https://www.npmjs.com/package/asyncapi
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1195.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\npm.cmd'
- '\npm.exe'
CommandLine|contains:
- 'install'
- 'i '
CommandLine|contains:
- 'asyncapi'
condition: selection
falsepositives:
- Legitimate installation of AsyncAPI by developers
level: medium
KQL (Microsoft Sentinel)
// Hunt for Node.js spawning suspicious child processes (RAT behavior)
DeviceProcessEvents
| where InitiatingProcessFileName =~ "node.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "bash", "sh")
| extend PackageArgs = tostring(CommandLine)
| where not(PackageArgs contains "npm" or PackageArgs contains "yarn" or PackageArgs contains "node_modules")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, CommandLine
| order by Timestamp desc
Velociraptor VQL
-- Hunt for Node processes spawning shells (RAT behavior indicator)
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name = 'node'
AND EXISTS(
SELECT Pid
FROM chain(parent=pslist(), depth=1)
WHERE Name IN ('cmd', 'powershell', 'pwsh', 'bash', 'sh')
AND NOT CommandLine =~ '(npm|yarn|webpack)'
)
Remediation Script (Bash)
#!/bin/bash
# Audit and Remediation Script for AsyncAPI Supply Chain Compromise
# Run this in your project root directories
echo "[*] Scanning for AsyncAPI dependency..."
# Check if asyncapi is in package.
if grep -q '"asyncapi"' package. 2>/dev/null; then
echo "[!] WARNING: AsyncAPI dependency found in package.."
# List installed version
INSTALLED_VERSION=$(npm list asyncapi --depth=0 2>/dev/null | grep asyncapi | awk '{print $2}' | tr -d '└─' | xargs)
echo "[+] Currently installed version: $INSTALLED_VERSION"
echo "[!] ACTION REQUIRED:"
echo "1. Verify the installed version against the official AsyncAPI security advisory."
echo "2. If malicious, remove the package: npm uninstall asyncapi"
echo "3. Reinstall the clean version: npm install asyncapi@latest"
# Optional: Force clean install of all dependencies to clear node_modules
read -p "Do you want to perform a fresh 'npm ci' to ensure no remnants exist? (y/n) " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]; then
echo "[*] Removing node_modules and package-lock...."
rm -rf node_modules package-lock.
echo "[*] Reinstalling dependencies..."
npm ci
echo "[*] Complete. Please rotate any exposed credentials immediately."
fi
else
echo "[+] AsyncAPI not found in this project."
fi
Remediation
Immediate containment and eradication are required to prevent further credential loss.
1. Identification and Removal:
- Audit: Immediately check
package-lock.oryarn.lockforasyncapidependencies. - Version Verification: Compare installed versions against the official AsyncAPI security advisory. The five specific malicious versions must be removed.
- Removal: Run
npm uninstall asyncapior delete thenode_modulesdirectory entirely and restore from a known good backup ofpackage.before the compromise date.
2. Credential Rotation (CRITICAL):
- This RAT actively steals credentials. Assume that all credentials stored in the environment (
.envfiles), SSH keys (~/.ssh), and browser password managers on affected workstations or build agents are compromised. - Rotate: API keys, database strings, cloud provider keys (AWS/Azure/GCP), and Git tokens immediately.
- Revoke: Revoke SSH keys that may have been exfiltrated.
3. Pipeline Hygiene:
- If this package was pulled into a CI/CD pipeline, assume the build runner is compromised. Re-image the runner and rotate all pipeline secrets.
- Implement
npm ci(clean install) in builds rather thannpm installto ensure reproducibility and prevent accidental inclusion of updated malicious packages if lockfiles are ignored.
4. Vendor Advisory:
- Monitor the official AsyncAPI GitHub repository and npm advisory page for the list of specific malicious hashes and versions.
Category: Vulnerability Management
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.