Full Report
Detect and mitigate malicious @asyncapi npm packages linked to the latest npm supply chain attack.
Analysis Summary
# Incident Report: AsyncAPI Supply Chain Compromise via GitHub Actions
## Executive Summary
In July 2026, the AsyncAPI ecosystem fell victim to a supply chain attack stemming from a "pwn request" vulnerability in GitHub Actions. An attacker successfully exfiltrated a highly privileged Personal Access Token (PAT) by exploiting a misconfigured workflow, subsequently publishing five malicious versions of `@asyncapi` npm packages. These packages contained a multi-stage Trojan payload (M-RED-TEAM v6.4) designed for persistence and Command and Control (C2) communication.
## Incident Details
- **Discovery Date:** July 14, 2026
- **Incident Date:** July 14, 2026
- **Affected Organization:** AsyncAPI
- **Sector:** Open Source Software / Technology
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** July 14, 2026, 05:08 UTC
- **Vector:** GitHub Actions "Pwn Request" exploit on `asyncapi/generator` repository.
- **Details:** The attacker opened PR #2155. Because the repository used `pull_request_target` while checking out untrusted code from the PR branch, the attacker’s obfuscated JavaScript payload executed in a privileged environment, stealing the `asyncapi-bot` PAT.
### Lateral Movement
- **Mechanism:** The attacker used the stolen PAT to bypass standard contribution workflows, pushing malicious commits directly to the `next` branch of `asyncapi/generator` and the `asyncapi/spec-json-schemas` repository.
### Data Exfiltration/Impact
- **Impact:** Five malicious package versions were published to npm. The malware included a commands framework with capabilities such as directory listing, file retrieval (GetFile), and file uploading (PutFile).
### Detection & Response
- **Discovery:** Automated review systems flagged the obfuscation in the initial PR, and the incident was analyzed by the Wiz research team.
- **Response Actions:** Identification of compromised versions, analysis of the "M-RED-TEAM" payload, and notification regarding the vulnerable GitHub Action configuration that had been left unpatched for 58 days.
## Attack Methodology
- **Initial Access:** Exploitation of `pull_request_target` workflow misconfiguration.
- **Persistence:** Multi-stage payload; Stage 3 uses `miasma-monitor.service` for system persistence.
- **Defense Evasion:** Use of `javascript-obfuscator` with custom base64 alphabets and hiding code behind 1,000+ bytes of whitespace in Markdown files.
- **Credential Access:** Exfiltration of GitHub Personal Access Tokens (PATs) to a dead-drop URL.
- **Discovery:** Environment variable scanning on the GitHub Actions runner.
- **Lateral Movement:** Direct commits to protected branches using stolen service account credentials.
- **Collection:** Trojan capabilities for manual data gathering.
- **Exfiltration:** Use of Nostr relay for C2 and Rentry[.]co for initial secret exfiltration.
- **Impact:** Potential compromise of over 140,000 daily package downloads.
## Impact Assessment
- **Financial:** Unknown; potential costs associated with remediation and downstream impact on users.
- **Data Breach:** Compromise of internal GitHub PATs and potential access to private data on machines running the malicious npm packages.
- **Operational:** Disruption of the AsyncAPI release pipeline and necessity for package rollbacks.
- **Reputational:** High; marks another successful supply chain attack against a major open-source namespace.
## Indicators of Compromise
- **Network Indicators:**
- `rentry[.]co/elzotebo` (Initial exfiltration)
- Nostr relay communication (C2)
- **File Indicators:**
- Malicious `@asyncapi` npm packages (various versions).
- Presence of `miasma-monitor.service`.
- **Behavioral Indicators:**
- Unexpected outbound traffic from GitHub Action runners to pastebin sites.
- Large segments of whitespace in source code/Markdown files.
## Response Actions
- **Containment:** Flagging and subsequent removal/deprecation of malicious npm package versions.
- **Eradication:** Revocation of the compromised `asyncapi-bot` Personal Access Token.
- **Recovery:** Remediation of the vulnerable GitHub Action workflow by implementing a two-job strategy to isolate secrets.
## Lessons Learned
- **Vulnerability Lag:** A fix for the specific vulnerable workflow had been proposed 58 days prior to the attack but remained unmerged.
- **Secret Scoping:** Service accounts (like `asyncapi-bot`) should have the minimum permissions necessary and should not have broad organization-wide access if used in automated workflows.
- **Review Processes:** While automated tools flagged the PR, the "pwn request" allowed the attack to succeed before human intervention could stop the automated secret exfiltration.
## Recommendations
- **GitHub Actions Security:** Strictly avoid using `pull_request_target` in conjunction with `git checkout` of a PR head branch. Use the "Label Trigger" pattern or separate workflows for untrusted code.
- **Dependency Pinning:** Users should use lockfiles or specific versions and regularly audit their dependency trees for unexpected changes.
- **Secret Management:** Move from long-lived PATs to fine-grained GitHub Apps or OpenID Connect (OIDC) where possible to limit the blast radius of stolen credentials.