Upwind: AsyncAPI npm packages affected by a supply chain attack.
Developers frequently operate under the assumption that packages released through official channels have undergone a secure release process. This assumption is crucial to contemporary software development, where open source components are frequently integrated into applications via automated dependency management. A recent investigation indicates that this confidence can be undermined when attackers infiltrate the systems that manage software publication.
Cloud security firm Upwind has published results from an investigation into a coordinated attack impacting several official AsyncAPI npm packages. The findings reveal that the activity spanned multiple compromised packages, involving several repositories and publishing pipelines, which enabled the distribution of malicious code through legitimate release pathways.
The investigation identified several compromise points. Upwind’s research indicates that the campaign affected various aspects of the AsyncAPI ecosystem. Researchers confirmed that attackers compromised two distinct GitHub repositories and subsequently identified a separate, independent repository breach. They also noted attacks on different release branches and the misuse of various OpenID Connect (OIDC) publishing identities within a relatively short duration. Collectively, these findings imply that the attackers accessed multiple publishing pipelines instead of exploiting a singular vulnerability in the release process. The investigation concludes that this operation represented a coordinated effort targeting the software release process rather than a one-time package compromise.
One noteworthy aspect of the campaign was how the malicious code was executed after the compromised packages were utilized. According to Upwind, the attackers deviated from techniques typically linked with npm supply chain attacks. Instead of relying on preinstall or postinstall scripts, the malicious code was executed during standard package imports or through alternative execution routes. Since these actions were part of the expected application workflow, identifying the activity with security tools focused on monitoring package installations proved more difficult.
Researchers also noted that while the methods of execution varied throughout the campaign, the attackers consistently reused the same infrastructure and malware techniques across the compromised repositories and publishing pipelines.
The implications of these findings extend beyond the package maintainers. The compromised packages were released through official channels and appeared legitimate to organizations adhering to standard dependency management practices. Consequently, the repercussions were not confined to the repositories alone. Upwind noted that developer workstations and CI/CD environments that incorporated the affected packages should be regarded as potentially compromised due to the malicious code executing during normal package use.
“This wasn’t merely a malicious package - it represented a compromise of trust,” stated Amiram Shachar, CEO and Co-Founder of Upwind. “Multiple official AsyncAPI packages contained backdoored code from different repositories and publishing pipelines, illustrating that attackers are increasingly targeting the software release process itself.”
These findings highlight how attacks on software distribution can impact downstream users, even when they procure packages from trusted sources.
In the wake of the investigation, Upwind recommends that organizations assess whether any affected package versions have been integrated into their development environments. The company suggests verifying specific dependency versions instead of assuming that newer releases are secure. It also advises locking dependencies to confirmed versions and scrutinizing dependency updates, lockfiles, and Software Bills of Materials (SBOMs) for any unexpected alterations. Organizations should also regard developer workstations and CI/CD runners that utilized the affected packages as potentially compromised and rotate any credentials that might have been accessible from those environments.
Upwind emphasizes the significance of monitoring software throughout the development lifecycle. As attackers shift away from methodologies that activate during installation, triggering malicious code during routine application behavior, organizations need enhanced visibility into software once it has been introduced into development environments. The company continues to monitor the ongoing campaign while urging organizations to bolster their software supply chain security measures as attacks aimed at software release processes continue to evolve.
Other articles
Upwind: AsyncAPI npm packages affected by a supply chain attack.
Upwind identifies several compromised AsyncAPI npm packages linked to a coordinated supply chain attack aimed at software release processes and publishing identities.
