SShortSingh.
Back to feed

AsyncAPI npm Packages Poisoned in CI/CD Supply Chain Attack Delivering Miasma RAT

0
·5 views

On July 14, 2026, security researchers discovered a supply chain attack targeting the AsyncAPI open-source project, in which four widely used npm packages were compromised. Attackers gained unauthorized write access to official AsyncAPI GitHub repositories and pushed malicious commits to a development branch, hijacking the project's automated CI/CD pipeline to publish poisoned package versions. Because the build process was exploited rather than npm credentials stolen, the malicious packages carried valid provenance attestations, making them appear legitimate. The embedded malware acted as a dropper that executed when the library was loaded by an application, ultimately installing Miasma RAT — a cross-platform Remote Access Trojan capable of data exfiltration, persistence, and lateral movement. The incident underscores a critical blind spot in software supply chain security: publisher identity verification alone cannot guarantee the integrity of code if the underlying build infrastructure is compromised.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

How QA Leaders Can Calculate True ROI of AI-Powered Test Automation

A new framework aimed at QA leaders argues that traditional ROI formulas designed for scripted automation tools like Selenium fail to capture the full value of modern AI-powered testing platforms. The guide highlights that AI-native testing introduces distinct cost and benefit structures, including self-healing scripts, agentic test generation, and intelligent failure triage, which older calculations overlook. One key gap identified is maintenance: industry data suggests 30–40% of automation engineering time is spent maintaining existing scripts, a burden that AI self-healing capabilities can significantly reduce. Unlike conventional automation, which delivers static returns, AI testing systems are said to improve over time by learning from execution history and defect patterns, producing compounding rather than linear value. The framework proposes measuring returns across four categories to help QA teams build business cases that resonate with both finance and engineering leadership.

0
ProgrammingDEV Community ·

Vulnerability Exploitation Now Top Attack Vector as Patch Times Worsen in 2026

A record 48,185 CVEs were published in 2025, a 20.6% increase over the prior year, while the median time to patch vulnerabilities rose 34% to 43 days. Verizon's 2026 Data Breach Investigations Report found that vulnerability exploitation surpassed credential abuse to become the most common initial attack method for the first time in the report's 19-year history. To address this, security experts recommend formalizing vulnerability remediation SLAs that set strict, severity-based patching deadlines — with critical flaws requiring fixes within 14 days. CISA's new federal directive, BOD 26-04, moves beyond simple CVSS scoring by requiring agencies to assess asset exposure and other contextual risk factors, with full compliance expected by December 7, 2026. Although the directive applies only to federal civilian agencies, CISA has urged private organizations to adopt similar frameworks, and cyber insurers and auditors are already following suit.

0
ProgrammingDEV Community ·

A Structured Roadmap for Aspiring Software Architects: What to Learn and When

Becoming a software architect requires mastering a broad range of skills beyond writing code, including system design, security, cloud platforms, and DevOps. Experts recommend following a layered learning path that begins with proficiency in one programming language and strong computer science fundamentals before advancing to backend development, API design, and databases. Aspiring architects should then build knowledge of cloud platforms such as AWS, containerization tools like Docker, and CI/CD pipelines to understand how software reaches production. Architecture-specific skills such as system design patterns, application security, monitoring, and technical documentation round out the roadmap. The emphasis is on knowing when to apply each concept rather than memorizing tools or frameworks in isolation.

0
ProgrammingDEV Community ·

Why Most Indie Hacker Launches Fail and What to Do Before Launch Day

Most indie hacker product launches fail not because of poor execution on launch day, but due to inadequate preparation in the months beforehand. Building in public is widely recommended but primarily attracts fellow founders rather than actual paying customers, creating misleading momentum. Founders are advised to identify where their real target buyers spend time — niche forums, Slack groups, or industry newsletters — and build an audience there instead. Positioning is highlighted as a critical pre-launch step, framed not as a tagline exercise but as a clear answer to who the product is for and why they should change their current behavior. One B2B founder's sign-ups jumped from four to twenty-three per week simply by rewriting copy to emphasize the cost of inaction rather than listing product features.