BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

AsyncAPI npm packages compromised, deliver Miasma botnet loader

AsyncAPI npm packages compromised in supply chain attack deploying Miasma botnet.

  • Four npm packages in the @asyncapi namespace were compromised, distributing a multi-stage botnet loader called Miasma.
  • The attack exploited the project’s own GitHub Actions release pipeline, publishing packages with valid provenance attestations without stealing npm tokens.
  • The malware supports multiple C2 channels, including IPFS, Nostr relay, and an Ethereum smart contract, and can steal credentials and spread to other registries.

Four compromised npm packages in the @asyncapi namespace distributed a multi-stage botnet loader, according to findings from OX Security, SafeDep, Socket, and StepSecurity. The affected packages include @asyncapi/generator-helpers@1.1.1, @asyncapi/generator-components@0.7.1, @asyncapi/generator@3.3.1, and @asyncapi/specs (versions 6.11.2 and 6.11.2-alpha.1).

- Advertisement -

The compromised packages deploy an obfuscated first-stage payload that downloads an encrypted second-stage payload, identified as Miasma, from IPFS, according to Socket. The malicious code runs when the infected module is loaded by Node.js, launching a detached background node that downloads and executes malware from “ipfs[.]io/ipfs/QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9.”

The next-stage payload is an encrypted JavaScript loader named “sync.js,” containing the Miasma tasking framework and a large encrypted blob. The framework bundles 744 modules and supports six independent command-and-control (C2) communication channels using HTTP, Nostr relay, IPFS, BitTorrent DHT, libp2p GossipSub P2P mesh, and an Ethereum smart contract.

Miasma facilitates credential theft, AI tool poisoning, LAN lateral movement, and worm-like propagation on npm, PyPI, and Cargo registries. It sets up persistence mechanisms across systemd, crontab, macOS launchd, and Windows Registry autostart keys.

OX Security’s Moshe Siman Tov Bustan said that although the malware shares similarities with previous Shai-Hulud and Miasma campaigns, “this malware isn’t the same as them, nor is it attributed to the Miasma/Shai-Hulud/TeamPCP campaigns.” It also includes a dead man’s switch that monitors a stolen token and triggers a directory wipe if the token is revoked, while avoiding sandboxes, virtual environments, and systems with Russian language or security tools from vendors like CrowdStrike, SentinelOne, and Microsoft Defender.

- Advertisement -

According to StepSecurity, the attacker gained push access and used the project’s own legitimate GitHub Actions release pipeline to publish packages with valid OIDC provenance attestations. The supply chain attack did not involve theft of an npm token. Security researcher Rohan Prabhu explained that “both attacks are CI/CD pipeline compromises, not stolen npm tokens or malicious maintainers.” The resulting packages carry legitimate SLSA provenance attestations, proving only that the authorized workflow produced them.

All five malicious versions have since been unpublished from the npm registry. Users are advised to treat any endpoint that imported or executed one of the affected packages as potentially compromised, noting that exposure depends on whether the infected module was loaded during a build or developer workflow.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

US, UK issue joint stablecoin and tokenization plan

The U.S. and UK Treasuries published 10 joint recommendations to align regulation of stablecoins,...

BYD doubles Europe market share to 2.8%, overtakes Tesla and Ford

BYD's European market share more than doubled to 2.8% in May, surpassing Ford, Tesla...

Kalshi in ‘impossible position’ as US and Michigan orders clash

The CFTC has ordered prediction market Kalshi to ignore a Michigan state court order...

Bitcoin reclaims $64K as crypto market rebounds

Bitcoin (BTC) has reclaimed the $64,000 level after a recent dip, rising nearly 10%...

Palihapitiya Sees ‘Obvious Logic’ in Tesla-SpaceX Merger

Billionaire investor Chamath Palihapitiya said there is "very obvious industrial logic" in combining Tesla...

Must Read

Forex Trading Vs Crypto Trading: Which One Should You Choose?

So you're trying to decide between two types of trading: Forex and cryptocurrency.Forex trading is the big player in the trading world, with lots...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading