Mintlify incident
Security notice: AsyncAPI npm supply chain compromise — Mintlify is not affected
Mintlify experienced a minor incident on July 16, 2026 affecting Display and Dashboard and 1 more component, lasting —. The incident has been resolved; the full update timeline is below.
Affected components
Update timeline
- resolved Jul 16, 2026, 06:54 PM UTC
Status: Resolved On July 14, 2026, several packages in the @asyncapi npm namespace were compromised in a supply chain attack. An attacker exploited a misconfigured GitHub Actions workflow in the AsyncAPI generator repository to steal a publish token and release malicious versions of @asyncapi/specs (6.11.2, 6.11.2-alpha.1), @asyncapi/generator (3.3.1), @asyncapi/generator-components (0.7.1), and @asyncapi/generator-helpers (1.1.1). We reviewed our dependency tree and confirmed Mintlify is not affected: - We do not use @asyncapi/generator, @asyncapi/generator-helpers, or @asyncapi/generator-components anywhere in our codebase. - The only @asyncapi packages we depend on are @asyncapi/parser (not compromised) and @asyncapi/specs, which our lockfiles pin at 6.11.1 and 6.8.1 — both below the compromised 6.11.2. We will keep specs pinned below 6.11.2. - The malicious versions were never installed in our development, CI, or production environments, and we found no signs of impact. Mintlify's AsyncAPI documentation features continue to work normally and were never at risk. No action is required on your part. Affected components Display (Operational) Updates (Operational) Dashboard (Operational) Search (Operational)