@asyncapi/specs @6.11.2-alpha.1
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC
OSV ID
MAL-2025-190643
Ecosystem
npm
Summary
index.js in @asyncapi/specs 6.11.2 contains a string-array-obfuscated payload (_0x-style decoder) that, whenever the module is required, spawns a detached node child process. The decoded logic fetches a file from the IPFS gateway URL https://ipfs.io/ipfs/Qmet4fhsAaWMBUxNDfREHwgiyDeSWy4YSYs9wiKUW5jGyf, writes it as sync.js under a platform-specific hidden directory (LOCALAPPDATA/NodeJS on Windows, ~/Library/Application Support/NodeJS on macOS, ~/.local/share/NodeJS on Linux), and executes it detached via node. The obfuscation hides the URL, target filename, and use of https, child_process, and fs APIs. A legitimate AsyncAPI JSON spec loader has no need for obfuscated code or remote code fetch-and-execute; the behavior is inconsistent with the package's advertised purpose and gives whoever controls the IPFS content full code execution on any machine that installs or loads this version.
Source: amazon-inspector (3b9e99714f1fe7132e3c690ab23d255f689800dcb1234ebf1d6bf68c61f2d2ca)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.