Wireby Fusion42
Read this story on the live Wire →

Wire · founder news, decoded · operational-macro

AsyncAPI npm organization compromised, 2M weekly downloads affected

AsyncAPI's npm organisation was compromised, injecting a sophisticated multi-stage malware dropper into four core packages with 2M+ weekly downloads. The malware acts as a crypto-stealer, info-stealer and RAT, using IPFS and BitTorrent for persistence and attempting to self-replicate across npm, PyPI and Cargo registries.

This Wire brief sits within Fusion42's coverage of Developer Tools and Cybersecurity. Wire is Fusion42's founder-focused intelligence feed: each story is connected to the funds and startups it names — every one with a live profile on Raise or Scout — so founders can follow the capital and the momentum behind the headline rather than just the headline itself. Wire analysis is one of the live surfaces Arthur, Fusion42's AI co-founder, reasons over.

The Wire takeaway

If you use AsyncAPI generator packages, your developer tokens and crypto wallets are now actively hunted. Revoke every npm, PyPI and Cargo token from any machine that downloaded versions 3.3.1 or earlier of @asyncapi/generator—the malware spreads itself across all three registries if it finds one working credential.

Read the full story at ox.security

Topics: Developer Tools · Cybersecurity · npm-security · supply-chain · malware · developer-tools · package-compromise

Related on Wire

Verified 15 July 2026 · Sources: Fusion42 review