top of page



The AsyncAPI Malware Hid Its Payload on IPFS to Be Takedown-Proof. IPFS Isn't Anonymous — Here's the Host Serving It Right Now.
On July 14, an attacker published malware into the @asyncapi namespace on npm — five poisoned versions across four packages that pull more than two million downloads a week. The interesting part is not that it happened. Supply-chain compromises happen weekly, and we cover them weekly. The interesting part is what the attacker did not need to do, and where they hid the payload once they were in. On the second point, we have a receipt most write-ups do not, because we built the
Patrick Duggan
3 hours ago5 min read
bottom of page