Upwind traces multiple compromised AsyncAPI npm packages to a coordinated supply chain attack targeting software release pipelines and publishing identities.