On July 14, 2026, several packages in the @asyncapi npm namespace were compromised in a supply chain attack. An attacker exploited a misconfigured GitHub Actions workflow in the AsyncAPI generator repository to steal a publish token and release malicious versions of @asyncapi/specs (6.11.2, 6.11.2-alpha.1), @asyncapi/generator (3.3.1), @asyncapi/generator-components (0.7.1), and @asyncapi/generator-helpers (1.1.1).
We reviewed our dependency tree and confirmed Mintlify is not affected:
- We do not use @asyncapi/generator, @asyncapi/generator-helpers, or @asyncapi/generator-components anywhere in our codebase.
- The only @asyncapi packages we depend on are @asyncapi/parser (not compromised) and @asyncapi/specs, which our lockfiles pin at 6.11.1 and 6.8.1 — both below the compromised 6.11.2. We will keep specs pinned below 6.11.2.
- The malicious versions were never installed in our development, CI, or production environments, and we found no signs of impact.
Mintlify's AsyncAPI documentation features continue to work normally and were never at risk. No action is required on your part.
No components marked as affected
Resolved
On July 14, 2026, several packages in the @asyncapi npm namespace were compromised in a supply chain attack. An attacker exploited a misconfigured GitHub Actions workflow in the AsyncAPI generator repository to steal a publish token and release malicious versions of @asyncapi/specs (6.11.2, 6.11.2-alpha.1), @asyncapi/generator (3.3.1), @asyncapi/generator-components (0.7.1), and @asyncapi/generator-helpers (1.1.1).
We reviewed our dependency tree and confirmed Mintlify is not affected:
- We do not use @asyncapi/generator, @asyncapi/generator-helpers, or @asyncapi/generator-components anywhere in our codebase.
- The only @asyncapi packages we depend on are @asyncapi/parser (not compromised) and @asyncapi/specs, which our lockfiles pin at 6.11.1 and 6.8.1 — both below the compromised 6.11.2. We will keep specs pinned below 6.11.2.
- The malicious versions were never installed in our development, CI, or production environments, and we found no signs of impact.
Mintlify's AsyncAPI documentation features continue to work normally and were never at risk. No action is required on your part.