Wire · founder news, decoded · operational-macro
AsyncAPI npm organization compromised, 2M weekly downloads affected
AsyncAPI's npm organisation was compromised, injecting a sophisticated multi-stage malware dropper into four core packages with 2M+ weekly downloads. The malware acts as a crypto-stealer, info-stealer and RAT, using IPFS and BitTorrent for persistence and attempting to self-replicate across npm, PyPI and Cargo registries.
This Wire brief sits within Fusion42's coverage of Developer Tools and Cybersecurity. Wire is Fusion42's founder-focused intelligence feed: each story is connected to the funds and startups it names — every one with a live profile on Raise or Scout — so founders can follow the capital and the momentum behind the headline rather than just the headline itself. Wire analysis is one of the live surfaces Arthur, Fusion42's AI co-founder, reasons over.
The Wire takeaway
If you use AsyncAPI generator packages, your developer tokens and crypto wallets are now actively hunted. Revoke every npm, PyPI and Cargo token from any machine that downloaded versions 3.3.1 or earlier of @asyncapi/generator—the malware spreads itself across all three registries if it finds one working credential.
Read the full story at ox.security →
Topics: Developer Tools · Cybersecurity · npm-security · supply-chain · malware · developer-tools · package-compromise