Upwind’s AsyncAPI npm Package Investigation Suggests Software Release Pipelines Are Becoming Prime Targets

Modern software development depends on automation. Every day, developers pull open source packages, build applications through automated pipelines, and deploy updates with little reason to question whether the software moving through those processes is authentic. That efficiency has transformed software delivery, but it has also created opportunities for attackers looking for a way to reach development environments at scale.

A new investigation from Upwind suggests those opportunities are increasingly being found in the software release process itself. The cloud security company disclosed findings from an investigation into a coordinated attack involving multiple official AsyncAPI npm packages, concluding that the activity extended beyond a single compromised package and into multiple repositories and publishing pipelines.

According to the company’s research, the campaign affected several components of the AsyncAPI ecosystem. Investigators confirmed that two GitHub repositories had been compromised and also identified a second independent repository compromise. Rather than relying on one successful intrusion, the attackers appear to have gained access to multiple publishing pipelines, targeting different release branches and abusing different OpenID Connect (OIDC) publishing identities within a short period.

Those details distinguish the campaign from incidents in which a single package is modified before being detected and removed. Instead, the investigation describes an operation that touched multiple parts of the software release process, allowing malicious code to be distributed through official publishing channels.

The way the code executed also stood out during the investigation.

Upwind found that the attackers avoided techniques commonly associated with npm supply chain attacks. Instead of executing through preinstall or postinstall scripts, the malicious code was triggered during normal package imports or through alternative execution paths. Because that execution occurs during expected application behavior, the activity can be more difficult to identify using security tools that focus primarily on monitoring package installation.

Researchers observed several execution techniques throughout the campaign. Even though those techniques differed, they repeatedly found the same infrastructure and malware patterns across the compromised repositories and publishing pipelines. According to Upwind, those similarities indicate that the activity formed part of a coordinated campaign rather than unrelated compromises.

The implications extend beyond the maintainers of the affected packages. Since the compromised software originated from official publishing channels, developers using routine dependency management practices could unknowingly import malicious code into their environments. Upwind said both developer workstations and CI/CD runners that used the affected packages should be treated as potentially compromised because the malicious code executed during normal software usage.

“This wasn’t just a malicious package -it was a compromise of trust,” said Amiram Shachar, CEO and Co-Founder of Upwind. “Multiple official AsyncAPI packages were published with backdoored code from separate repositories and publishing pipelines, showing that attackers are increasingly targeting the software release process itself.”

In response to the investigation, Upwind recommends that organizations examine their software supply chains to determine whether affected package versions were introduced into development environments. The company advises verifying exact dependency versions, pinning packages to verified releases, reviewing dependency updates, lockfiles, and Software Bills of Materials (SBOMs) for unexpected changes, and rotating credentials that were accessible from development environments where the affected packages were imported.

While the investigation focuses on a specific campaign, it also reflects a broader reality facing software development teams. As software release workflows become increasingly automated and interconnected, attacks are no longer confined to individual applications or repositories. The mechanisms used to build and distribute software have become valuable targets in their own right.

Upwind said it continues to monitor the campaign and encourages organizations to review their software supply chain security practices. The investigation serves as a reminder that securing modern development environments requires attention not only to the code being deployed, but also to the processes that deliver that code in the first place.

 

Hot this week

Did David Wineland and Serge Haroche Steal Idea For The Nobel Physics Prize?

Dr. Omerbashich says the Royal Swedish Academy is a Crime Scene and he has the proof that Nobel laureates stole his discovery.

New Approaches to Disaster Relief Challenges

Disaster relief has always been a challenge. NASA, Google,...

3 Legitimate Money Making Methods to Supplement Your Income

In a perfect world, when your landlord raises your...

2016 Predictions by World Renowned Medium and Psychic Lindy Baker

World renowned medium and psychic Lindy Baker is interviewed by The Hollywood Sentinel, discussing psychic power, the spirit world, life after death, areas of concern in 2016, and much more.

Digital Coupon Customers Spending More Than Double At Stores

A new study shows that customers who use digital coupons go shopping more for groceries and other household goods more often and spend more on their shopping trips.

Can You Buy a One-Time Box From BarkBox or BULLYMAKE?

BarkBox and BULLYMAKE both offer a single box without requiring you to sign up for a subscription first, but each works a little differently.

Dacke Industri Divardy Acquisition Adds Dutch Bakery Systems to Precision and Protection

Dacke Industri acquired 85% of Divardy Bakery Services B.V., adding Dutch industrial bakery conveyor systems to its Precision and Protection division.

TVC Analyst Releases List of 11 Greentech Startups Redefining Climate Innovation in 2026

As investment in climate technology continues to evolve, TVC...

Perion Adds Greece and CEE to Its Outmax Map via Acrossmedia241

Greece is not usually the first market named when...

Understanding Compensation Types in Florida Car Accident Injury Claims

Car accidents are often traumatic. However, the confusion that...

Jack Bride: Weaving Astrology, Full Moons And Comics Into His Unique Artistic Vision

Jack Bride is a Toronto-based artist from Calgary whose...

Project Hail Mary Movie Review: Great Book, Terrible Movie

John McCormick reviews Project Hail Mary, calling Andy Weir’s book great but the Ryan Gosling movie a disappointing adaptation.

Related Articles

Popular Categories