Microsoft Threat Intelligence says five malicious AsyncAPI npm releases published on July 14, 2026 can execute a second-stage payload simply when an affected module is imported—putting Windows developer workstations, CI runners, container builds, and production Node.js services at risk even if...