Upwind’s AsyncAPI npm Package Investigation Suggests Software Release Pipelines Are Becoming Prime Targets

Modern software development depends on automation. Every day, developers pull open source packages, build applications through automated pipelines, and deploy updates with little reason to question whether the software moving through those processes is authentic. That efficiency has transformed software delivery, but it has also created opportunities for attackers looking for a way to reach development environments at scale.

A new investigation from Upwind suggests those opportunities are increasingly being found in the software release process itself. The cloud security company disclosed findings from an investigation into a coordinated attack involving multiple official AsyncAPI npm packages, concluding that the activity extended beyond a single compromised package and into multiple repositories and publishing pipelines.

According to the company’s research, the campaign affected several components of the AsyncAPI ecosystem. Investigators confirmed that two GitHub repositories had been compromised and also identified a second independent repository compromise. Rather than relying on one successful intrusion, the attackers appear to have gained access to multiple publishing pipelines, targeting different release branches and abusing different OpenID Connect (OIDC) publishing identities within a short period.

Those details distinguish the campaign from incidents in which a single package is modified before being detected and removed. Instead, the investigation describes an operation that touched multiple parts of the software release process, allowing malicious code to be distributed through official publishing channels.

The way the code executed also stood out during the investigation.

Upwind found that the attackers avoided techniques commonly associated with npm supply chain attacks. Instead of executing through preinstall or postinstall scripts, the malicious code was triggered during normal package imports or through alternative execution paths. Because that execution occurs during expected application behavior, the activity can be more difficult to identify using security tools that focus primarily on monitoring package installation.

Researchers observed several execution techniques throughout the campaign. Even though those techniques differed, they repeatedly found the same infrastructure and malware patterns across the compromised repositories and publishing pipelines. According to Upwind, those similarities indicate that the activity formed part of a coordinated campaign rather than unrelated compromises.

The implications extend beyond the maintainers of the affected packages. Since the compromised software originated from official publishing channels, developers using routine dependency management practices could unknowingly import malicious code into their environments. Upwind said both developer workstations and CI/CD runners that used the affected packages should be treated as potentially compromised because the malicious code executed during normal software usage.

“This wasn’t just a malicious package -it was a compromise of trust,” said Amiram Shachar, CEO and Co-Founder of Upwind. “Multiple official AsyncAPI packages were published with backdoored code from separate repositories and publishing pipelines, showing that attackers are increasingly targeting the software release process itself.”

In response to the investigation, Upwind recommends that organizations examine their software supply chains to determine whether affected package versions were introduced into development environments. The company advises verifying exact dependency versions, pinning packages to verified releases, reviewing dependency updates, lockfiles, and Software Bills of Materials (SBOMs) for unexpected changes, and rotating credentials that were accessible from development environments where the affected packages were imported.

While the investigation focuses on a specific campaign, it also reflects a broader reality facing software development teams. As software release workflows become increasingly automated and interconnected, attacks are no longer confined to individual applications or repositories. The mechanisms used to build and distribute software have become valuable targets in their own right.

Upwind said it continues to monitor the campaign and encourages organizations to review their software supply chain security practices. The investigation serves as a reminder that securing modern development environments requires attention not only to the code being deployed, but also to the processes that deliver that code in the first place.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 2 =