npm

@asyncapi/generator-helpers @1.1.1

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2025-190657

Ecosystem

npm

Summary

src/utils.js — reached via the package main src/index.js — contains an obfuscator.io IIFE that runs at module load. Alongside the legitimate helpers (getInfo, getTitle, toSnakeCase, toCamelCase), the file ships a rotated string array (_0x2d89), a custom lowercase-first base64 decoder (_0x1dd2), and a ~4KB opaque literal that decodes at runtime to further JavaScript. The top-level main() then invokes child_process.spawn on the Node runtime with '-e' and the decoded string, using {detached: true, stdio: 'ignore', windowsHide: true} so the child process is disowned and hidden. Because this fires unconditionally on require('@asyncapi/generator-helpers'), any consumer or generator template that loads this version executes attacker-controlled JavaScript in a detached Node process on the host. The behavior — obfuscator.io string-array plus custom-base64 blob reconstructed into node -e arguments — is not consistent with the package's documented purpose as an AsyncAPI generator helper library and matches a trojanized-release supply-chain compromise.

Source: amazon-inspector (f5d32214c0ccb2ee8f88d55a002ca8bd58405c001051f75646cb765588ccfa9c)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.