Security advisory from SafeDep. On 14 July 2026 an attacker published malicious, credential-stealing versions of four @asyncapi npm packages. Your dependency graph pulls in one of them. You are most likely safe. You are only exposed if your lockfile pins a malicious version below.
How it reaches you (from your GitHub dependency graph):
asyncapi/java-template → @asyncapi/generator@2.8.4 → @asyncapi/generator-helpers@1.0.0
asyncapi/java-template → @asyncapi/generator@2.8.4 → @asyncapi/generator-components@1.0.0
asyncapi/java-template → @asyncapi/generator@2.8.4
asyncapi/java-template → @asyncapi/parser@2.1.2 → @asyncapi/specs@5.1.0
asyncapi/java-template → @asyncapi/parser@3.4.0 → @asyncapi/specs@6.8.1
asyncapi/java-template → @asyncapi/parser@3.0.0-next-major-spec.8 → @asyncapi/specs@6.7.1
Verify it yourself
Malicious → safe versions
@asyncapi/generator 3.3.1 → 3.3.0
@asyncapi/generator-helpers 1.1.1 → 1.1.0
@asyncapi/generator-components 0.7.1 → 0.7.0
@asyncapi/specs 6.11.2 / 6.11.2-alpha.1 → 6.11.1
What to do: grep your lockfile for the malicious versions. If none appear, pin the safe versions and you are done. If one appears, the payload dropped a sync.js backdoor and stole credentials, so rotate the build machine's npm, GitHub, SSH, and AWS tokens plus browser passwords.
Full analysis: https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/
Security advisory from SafeDep. On 14 July 2026 an attacker published malicious, credential-stealing versions of four
@asyncapinpm packages. Your dependency graph pulls in one of them. You are most likely safe. You are only exposed if your lockfile pins a malicious version below.How it reaches you (from your GitHub dependency graph):
asyncapi/java-template→@asyncapi/generator@2.8.4→@asyncapi/generator-helpers@1.0.0asyncapi/java-template→@asyncapi/generator@2.8.4→@asyncapi/generator-components@1.0.0asyncapi/java-template→@asyncapi/generator@2.8.4asyncapi/java-template→@asyncapi/parser@2.1.2→@asyncapi/specs@5.1.0asyncapi/java-template→@asyncapi/parser@3.4.0→@asyncapi/specs@6.8.1asyncapi/java-template→@asyncapi/parser@3.0.0-next-major-spec.8→@asyncapi/specs@6.7.1Verify it yourself
Malicious → safe versions
@asyncapi/generator3.3.1→3.3.0@asyncapi/generator-helpers1.1.1→1.1.0@asyncapi/generator-components0.7.1→0.7.0@asyncapi/specs6.11.2/6.11.2-alpha.1→6.11.1What to do: grep your lockfile for the malicious versions. If none appear, pin the safe versions and you are done. If one appears, the payload dropped a
sync.jsbackdoor and stole credentials, so rotate the build machine's npm, GitHub, SSH, and AWS tokens plus browser passwords.Full analysis: https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/