Security advisory from SafeDep. On 14 July 2026 an attacker published malicious, credential-stealing versions of four @asyncapi npm packages. Your dependency graph pulls in one of them. You are most likely safe. You are only exposed if your lockfile pins a malicious version below.
How it reaches you (from your GitHub dependency graph):
mitodl/mit-learn → @grafana/openapi-to-k6@0.4.1 → orval@7.21.0 → @orval/core@7.21.0 → @ibm-cloud/openapi-ruleset@1.33.8 → @stoplight/spectral-rulesets@1.22.1 → @asyncapi/specs@6.11.1
Verify it yourself
Malicious → safe versions
@asyncapi/generator 3.3.1 → 3.3.0
@asyncapi/generator-helpers 1.1.1 → 1.1.0
@asyncapi/generator-components 0.7.1 → 0.7.0
@asyncapi/specs 6.11.2 / 6.11.2-alpha.1 → 6.11.1
What to do: grep your lockfile for the malicious versions. If none appear, pin the safe versions and you are done. If one appears, the payload dropped a sync.js backdoor and stole credentials, so rotate the build machine's npm, GitHub, SSH, and AWS tokens plus browser passwords.
Full analysis: https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/
Security advisory from SafeDep. On 14 July 2026 an attacker published malicious, credential-stealing versions of four
@asyncapinpm packages. Your dependency graph pulls in one of them. You are most likely safe. You are only exposed if your lockfile pins a malicious version below.How it reaches you (from your GitHub dependency graph):
mitodl/mit-learn→@grafana/openapi-to-k6@0.4.1→orval@7.21.0→@orval/core@7.21.0→@ibm-cloud/openapi-ruleset@1.33.8→@stoplight/spectral-rulesets@1.22.1→@asyncapi/specs@6.11.1Verify it yourself
Malicious → safe versions
@asyncapi/generator3.3.1→3.3.0@asyncapi/generator-helpers1.1.1→1.1.0@asyncapi/generator-components0.7.1→0.7.0@asyncapi/specs6.11.2/6.11.2-alpha.1→6.11.1What to do: grep your lockfile for the malicious versions. If none appear, pin the safe versions and you are done. If one appears, the payload dropped a
sync.jsbackdoor and stole credentials, so rotate the build machine's npm, GitHub, SSH, and AWS tokens plus browser passwords.Full analysis: https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/