- 15th July 2026
An attacker turned AsyncAPI’s own CI/CD pipeline into a publisher, hiding a PAT theft inside 37 decoy pull requests, then pushing straight to release branches to ship the Miasma RAT to 3M weekly npm downloads under valid SLSA provenance, with zero CVE assigned.
Francesco Cipollone