Upwind links compromise of multiple AsyncAPI npm packages to coordinated attack on software release process

AI Today Summary
Security researchers at Upwind investigated a coordinated attack compromising multiple AsyncAPI npm packages by infiltrating several GitHub repositories and publishing pipelines. The attackers distributed malicious code through legitimate release channels, executing it during normal package imports, which complicates detection by typical security tools. This campaign targeted the software release process itself rather than isolated packages, indicating a sophisticated supply chain compromise.
Covered by 1 source
AI Today publishes original summaries and links out — never the full source article.