An investigation by cloud security company Upwind has revealed a coordinated compromise involving multiple official AsyncAPI npm packages, offering new insight into how software supply chain attacks are evolving. Rather than targeting a single package or repository, the campaign involved multiple repositories, release branches, and publishing pipelines, indicating a broader effort to exploit trusted software distribution mechanisms.
The findings point to a shift in attacker strategy. Instead of focusing on isolated package compromises, the operation appeared designed to interfere with the software release process itself, increasing both the potential reach of the attack and the difficulty of detecting it.
Multiple publishing pipelines were compromised
According to Upwind, researchers confirmed that attackers gained access to two separate GitHub repositories associated with the AsyncAPI ecosystem. During the investigation, they also identified a second independent repository compromise, strengthening the conclusion that more than one publishing pipeline had been breached.
The attackers targeted different release branches and abused separate OpenID Connect (OIDC) publishing identities within a relatively short period. Upwind said the combination of these activities suggests a coordinated campaign rather than unrelated incidents occurring simultaneously.
By compromising multiple publishing paths, the attackers were able to distribute malicious code through official channels that developers generally trust when managing software dependencies.
Execution methods continue to evolve
The investigation found that the attackers did not rely on execution techniques commonly associated with npm supply chain attacks.
Instead of triggering malicious behavior through preinstall or postinstall scripts, the code executed during standard package imports or through alternative execution paths. This approach allows malicious activity to blend into normal application behavior, making detection more challenging for security tools that focus primarily on package installation.
Researchers also observed several execution techniques throughout the campaign. Although the methods varied, Upwind identified consistent infrastructure and malware patterns across the compromised repositories and publishing pipelines, suggesting that the same threat actors were responsible for the activity.
Trust in official packages becomes the target
Because the affected packages were published through official channels, organizations following standard dependency management practices could unknowingly introduce malicious code into their development environments.
According to Upwind, both developer workstations and CI/CD runners that imported the compromised packages should be considered at risk. Since the packages appeared legitimate, there would have been little reason for developers to suspect they contained backdoored code.
“This wasn’t just a malicious package -it was a compromise of trust,” said Amiram Shachar, CEO and Co-Founder of Upwind. “Multiple official AsyncAPI packages were published with backdoored code from separate repositories and publishing pipelines, showing that attackers are increasingly targeting the software release process itself.”
His comments reflect one of the investigation’s central conclusions: trusted software distribution infrastructure is becoming an increasingly valuable target for attackers seeking to maximize the reach of a compromise.
Reviewing development environments
Following the investigation, Upwind recommends that organizations determine whether affected package versions were introduced into their software development environments.
Among the company’s recommendations are verifying the exact package versions currently in use, pinning dependencies to trusted releases, and reviewing dependency updates, lockfiles, and Software Bills of Materials (SBOMs) for unexpected modifications.
The company also advises treating developer workstations and CI/CD runners that imported the affected packages as potentially compromised. Organizations should also rotate credentials that were accessible from those environments.
Strengthening visibility throughout the development lifecycle
The investigation underscores how changes in attacker techniques are influencing software security practices. As malicious code is increasingly designed to execute during normal application workflows, organizations may need greater visibility into runtime behavior rather than relying solely on installation monitoring or static analysis.
Upwind said it continues to monitor the campaign and encourages organizations to reassess their software supply chain security practices. The company’s findings suggest that defending modern development environments requires not only protecting code repositories and package managers, but also monitoring how trusted software behaves after it has been introduced into the development lifecycle.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

