Upwind links compromised AsyncAPI npm packages to a coordinated supply chain attack spanning repositories, publishing pipelines, and developer systems at risk.