npm

@asyncapi/generator-components @0.7.1

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2025-190656

Ecosystem

npm

Summary

lib/utils/ErrorHandling.js contains an obfuscator.io string-array with a base64+decodeURIComponent decoder colocated with a top-level main() invocation reachable via the package's main entry (lib/index.js -> components/HandleError.js -> utils/ErrorHandling.js). On require of the package, main() spawns a detached, stdio-ignored Node subprocess via spawn('node', ['-e', <decoded-payload>], { detached: true, stdio: [...], windowsHide: true }).unref() , where the '-e' argument is ~3 KB of code decoded at runtime from a base64 blob in the obfuscated string array. The payload delivery mechanism (heavy obfuscation, runtime string decoding, detached backgrounded child process, hidden window on Windows) is inconsistent with any documented error-handling functionality and matches the shape of a hidden load-time RCE injection into a legitimate AsyncAPI package.

Source: amazon-inspector (53b011ee7d312f04a975987c919c0b2682df7e875bffceef2d932027e08a2f2a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.