Security advisory from SafeDep. On 14 July 2026 an attacker published malicious, credential-stealing versions of four @asyncapi npm packages. Your dependency graph pulls in one of them. You are most likely safe. You are only exposed if your lockfile pins a malicious version below.
How it reaches you (from your GitHub dependency graph):
sei-protocol/sei-js → mint@4.2.97 → @mintlify/cli@4.0.701 → @mintlify/common@1.0.513 → @asyncapi/parser@3.4.0 → @asyncapi/specs@6.10.0
Verify it yourself
Malicious → safe versions
@asyncapi/generator 3.3.1 → 3.3.0
@asyncapi/generator-helpers 1.1.1 → 1.1.0
@asyncapi/generator-components 0.7.1 → 0.7.0
@asyncapi/specs 6.11.2 / 6.11.2-alpha.1 → 6.11.1
What to do: grep your lockfile for the malicious versions. If none appear, pin the safe versions and you are done. If one appears, the payload dropped a sync.js backdoor and stole credentials, so rotate the build machine's npm, GitHub, SSH, and AWS tokens plus browser passwords.
Full analysis: https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/
Security advisory from SafeDep. On 14 July 2026 an attacker published malicious, credential-stealing versions of four
@asyncapinpm packages. Your dependency graph pulls in one of them. You are most likely safe. You are only exposed if your lockfile pins a malicious version below.How it reaches you (from your GitHub dependency graph):
sei-protocol/sei-js→mint@4.2.97→@mintlify/cli@4.0.701→@mintlify/common@1.0.513→@asyncapi/parser@3.4.0→@asyncapi/specs@6.10.0Verify it yourself
Malicious → safe versions
@asyncapi/generator3.3.1→3.3.0@asyncapi/generator-helpers1.1.1→1.1.0@asyncapi/generator-components0.7.1→0.7.0@asyncapi/specs6.11.2/6.11.2-alpha.1→6.11.1What to do: grep your lockfile for the malicious versions. If none appear, pin the safe versions and you are done. If one appears, the payload dropped a
sync.jsbackdoor and stole credentials, so rotate the build machine's npm, GitHub, SSH, and AWS tokens plus browser passwords.Full analysis: https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/