Skip to content

[BUG] Malware in the NPM package #603

New issue
New issue
Open
Open
[BUG] Malware in the NPM package#603
Labels
bugSomething isn't working
@mhammerc

Description

@mhammerc
mhammerc
opened on Nov 24, 2025 ยท edited by mhammerc

Describe the bug.

Hello,

Multiple new versions of the package have been published on NPM. These new versions adds bun_environment.js 10Mo.

List of new versions:

  • 6.8.3
  • 6.9.1
  • 6.8.2
  • 6.10.1

I find nothing on this github repository linking to these new releases.

I also find nothing in the source code that links to bun_environment.js.

I think it starts a trufflehog process which scan for secrets...

I am not sure but my search came to this package.

Is the package compromised?

Image

See the hasInstallScripts set to true? It can launch malware with that.

Expected behavior

No malware

Screenshots

Image

How to Reproduce

  1. I first did this
  2. I then did this
  3. And so on . . .

๐Ÿ–ฅ๏ธ Device Information [optional]

  • Operating System (OS):
  • Browser:
  • Browser Version:

๐Ÿ‘€ Have you checked for similar open issues?

  • I checked and didn't find similar issue

๐Ÿข Have you read the Contributing Guidelines?

  • I have read the Contributing Guidelines

Are you willing to work on this issue ?

None

Activity

mhammerc
added
bugSomething isn't working
on Nov 24, 2025
github-actions

github-actions commented on Nov 24, 2025

@github-actions
github-actionsbot
on Nov 24, 2025 โ€“ with GitHub Actions

Welcome to AsyncAPI. Thanks a lot for reporting your first issue. Please check out our contributors guide and the instructions about a basic recommended setup useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

kaelyx-dev

kaelyx-dev commented on Nov 24, 2025

@kaelyx-dev
kaelyx-dev
on Nov 24, 2025

@mhammerc see https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

derberg

derberg commented on Nov 24, 2025

@derberg
derberg
on Nov 24, 2025
Member

@mhammerc already addressed with deprecation of bad versions. Also reached out to NPM and they removed all bad versions now

vpxyz
mentioned this on Nov 24, 2025
hateCode123

hateCode123 commented on Nov 25, 2025

@hateCode123
hateCode123
on Nov 25, 2025

Catastrophic event

derberg

derberg commented on Nov 25, 2025

@derberg
derberg
on Nov 25, 2025
Member

we're almost done with postmortem asyncapi/website#4640

riccardo-angelilli

riccardo-angelilli commented on Nov 26, 2025

@riccardo-angelilli
riccardo-angelilli
on Nov 26, 2025

which is the new safe version we should install from npm?

derberg

derberg commented on Nov 27, 2025

@derberg
derberg
on Nov 27, 2025
Member

postmortem: https://open-vsx.org/extension/asyncapi/asyncapi-preview

@riccardo-angelilli use the latest 6.10.0 - on our request, NPM removed all the "bad" npm versions entirely from npm.

bad versions were:

  • 6.10.1
  • 6.8.2
  • 6.9.1
  • 6.8.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @mhammerc@derberg@riccardo-angelilli@hateCode123@kaelyx-dev

        Issue actions
          [BUG] Malware in the NPM package ยท Issue #603 ยท asyncapi/spec-json-schemas