Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsAvoid using all malicious instances of the @asyncapi/specs package.
Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a second-stage obfuscated loader. A malicious actor gained push access to the AsyncAPI generator monorepo's next branch. This allowed the attacker to trigger the project's legitimate CI/CD pipeline to publish tampered versions of several packages to npm with valid OIDC provenance attestations.