[BUG] Malware in the NPM package

[mhammerc]

Describe the bug.

Hello,

Multiple new versions of the package have been published on NPM. These new versions adds bun_environment.js 10Mo.

List of new versions:

• 6.8.3
• 6.9.1
• 6.8.2
• 6.10.1

I find nothing on this github repository linking to these new releases.

I also find nothing in the source code that links to bun_environment.js.

I think it starts a trufflehog process which scan for secrets...

I am not sure but my search came to this package.

Is the package compromised?

See the hasInstallScripts set to true? It can launch malware with that.

Expected behavior

No malware

Screenshots

How to Reproduce

1. I first did this
2. I then did this
3. And so on . . .

🖥️ Device Information [optional]

• Operating System (OS):
• Browser:
• Browser Version:

👀 Have you checked for similar open issues?

• I checked and didn't find similar issue

🏢 Have you read the Contributing Guidelines?

• I have read the Contributing Guidelines

Are you willing to work on this issue ?

None

[github-actions]

Welcome to AsyncAPI. Thanks a lot for reporting your first issue. Please check out our contributors guide and the instructions about a basic recommended setup useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.

[kaelyx-dev]

@mhammerc see https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24

[derberg]

@mhammerc already addressed with deprecation of bad versions. Also reached out to NPM and they removed all bad versions now

[hateCode123]

Catastrophic event

[derberg]

we're almost done with postmortem asyncapi/website#4640

[riccardo-angelilli]

which is the new safe version we should install from npm?

[derberg]

postmortem: https://open-vsx.org/extension/asyncapi/asyncapi-preview

@riccardo-angelilli use the latest 6.10.0 - on our request, NPM removed all the "bad" npm versions entirely from npm.

bad versions were:

• 6.10.1
• 6.8.2
• 6.9.1
• 6.8.3