Threat actors breached AsyncAPI packages on the npm registry and turned trusted CI/CD workflows into malware delivery channels, according to analyses published on July 15, 2026, by the Microsoft Security Blog and Palo Alto Unit 42.

The Microsoft Security Blog said the attack used import-time payload delivery, meaning malicious code ran the moment a compromised package was loaded by a developer's project.

Unit 42's analysis, updated the same day, placed the AsyncAPI incident within a broader picture of npm supply chain threats. The unit documented wormable malware, CI/CD persistence techniques, and multi-stage attacks as part of that threat environment. Unit 42 also traced the evolution of npm supply chain risks following an event it called Shai Hulud.

Both organizations included recommended defenses in their respective analyses.