Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader
Four npm packages in the AsyncAPI namespace were compromised to distribute the Miasma botnet loader. The attack used trusted GitHub Actions publishing but originated from a poisoned source commit. Malicious code injected into legitimate source files executes upon import, launching a detached Node.js process that downloads an encrypted payload from IPFS. The payload is a sophisticated tasking framework supporting multiple command-and-control channels such as REST, Nostr relays, IPFS, Ethereum smart contracts, and BitTorrent DHT. It establishes persistence on Linux via systemd services and fake NodeJS directories. The framework supports file operations, shell execution, data collection, and propagation across npm, PyPI, RubyGems, and Cargo ecosystems.
AI Analysis
Technical Summary
This threat involves a supply chain compromise of four npm packages within the AsyncAPI namespace. Attackers injected malicious code into legitimate source files via a poisoned source commit, abusing trusted GitHub Actions publishing workflows. When these packages are imported, the malicious code launches a detached Node.js process that downloads an 8.25 MB encrypted payload from IPFS. The final payload is a multi-stage botnet loader named Miasma, which implements a sophisticated tasking framework with multiple command-and-control channels including REST APIs, Nostr relays, IPFS, Ethereum smart contracts, and BitTorrent DHT. It achieves persistence on Linux systems through systemd services and fake NodeJS directories. The framework enables a wide range of malicious activities including file operations, shell command execution, data collection, and cross-ecosystem propagation targeting multiple package ecosystems beyond npm, such as PyPI, RubyGems, and Cargo.
Potential Impact
The compromise allows attackers to execute arbitrary code on systems that import the affected npm packages, potentially leading to system takeover. The Miasma botnet loader supports multiple command-and-control channels, enabling resilient and flexible attacker control. Persistence mechanisms on Linux systems increase the difficulty of removal. The cross-ecosystem propagation capability increases the risk of widespread infection across multiple development environments and package managers. This can result in unauthorized data access, system manipulation, and further malware distribution.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should avoid using the compromised AsyncAPI npm packages until official guidance or patches are released. Review and verify the integrity of dependencies, especially those from the AsyncAPI namespace. Monitor for unusual Node.js processes and systemd services indicative of Miasma persistence. Consider scanning development environments and build pipelines for signs of compromise. Follow updates from AsyncAPI maintainers and trusted security sources for remediation steps.
Indicators of Compromise
- url: https://ethereum-rpc.publicnode.com
- url: http://85.137.53.71:8080/api/v1/beacon
- url: http://85.137.53.71:8080/api/v1/file-result
- url: http://85.137.53.71:8080/api/v1/file-content/
- hash: 34014776d3d3ff11bc4439b02fd7ac0f02a887eb3a052eeafff236e2f6db8ad1
- hash: 082d733db0687dcd768104972b065d4b58cb1e6043688c6c20fa3702337f36ab
- hash: bfaeb987faa6de2b5a5eb63b1233d055215b09b0349a9394f2175fd7cdf385e4
- hash: 9b2e65db653ca8575c9b10eefb9a80c6006404812c2ec212bf5675e3c690233b
- hash: d425e4583cc6185d41e95c45eda00550045a5d1919b9a012236a4520d009dbd7
- hash: 6e78713b75bd34828d49896176627f7face7aa9036cd874f2e02d9f23a9a9c71
- hash: b270bdf8e2274ea1af0a6eed74d8f10e5fe61012d6cc226a43cc7cc7fd9f6292
- hash: b9993a8ad0518849416798cf29668256ccb96598fc4423501ccab5312812653a
- hash: 8351d251cf0b5a0bd82242deaa0a14e3e1394418d55c0f4259dac4303b79fc0c
- hash: 550af477c12192a22f5c9edb9c8081c0a789b3a1a2992a7ecb157cca1c975e10
- hash: 24b9ee242f21a73b55f7bb3297eafb33c60840907386b542ed79fc6b72365168
- hash: 9e214f38537e69bf51c7fa1ddd35ae495e9cb897231ec010baf9e4f29407ee9a
- hash: 9f1a709310824f9110c6203d861a721ebefba8b204a8657057fe57efb961c850
- hash: 3eab3ec9304aa26081358330491d3cfeb55cc245
Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader
Description
Four npm packages in the AsyncAPI namespace were compromised to distribute the Miasma botnet loader. The attack used trusted GitHub Actions publishing but originated from a poisoned source commit. Malicious code injected into legitimate source files executes upon import, launching a detached Node.js process that downloads an encrypted payload from IPFS. The payload is a sophisticated tasking framework supporting multiple command-and-control channels such as REST, Nostr relays, IPFS, Ethereum smart contracts, and BitTorrent DHT. It establishes persistence on Linux via systemd services and fake NodeJS directories. The framework supports file operations, shell execution, data collection, and propagation across npm, PyPI, RubyGems, and Cargo ecosystems.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a supply chain compromise of four npm packages within the AsyncAPI namespace. Attackers injected malicious code into legitimate source files via a poisoned source commit, abusing trusted GitHub Actions publishing workflows. When these packages are imported, the malicious code launches a detached Node.js process that downloads an 8.25 MB encrypted payload from IPFS. The final payload is a multi-stage botnet loader named Miasma, which implements a sophisticated tasking framework with multiple command-and-control channels including REST APIs, Nostr relays, IPFS, Ethereum smart contracts, and BitTorrent DHT. It achieves persistence on Linux systems through systemd services and fake NodeJS directories. The framework enables a wide range of malicious activities including file operations, shell command execution, data collection, and cross-ecosystem propagation targeting multiple package ecosystems beyond npm, such as PyPI, RubyGems, and Cargo.
Potential Impact
The compromise allows attackers to execute arbitrary code on systems that import the affected npm packages, potentially leading to system takeover. The Miasma botnet loader supports multiple command-and-control channels, enabling resilient and flexible attacker control. Persistence mechanisms on Linux systems increase the difficulty of removal. The cross-ecosystem propagation capability increases the risk of widespread infection across multiple development environments and package managers. This can result in unauthorized data access, system manipulation, and further malware distribution.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should avoid using the compromised AsyncAPI npm packages until official guidance or patches are released. Review and verify the integrity of dependencies, especially those from the AsyncAPI namespace. Monitor for unusual Node.js processes and systemd services indicative of Miasma persistence. Consider scanning development environments and build pipelines for signs of compromise. Follow updates from AsyncAPI maintainers and trusted security sources for remediation steps.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/asyncapi-supply-chain-attack"]
- Adversary
- null
- Pulse Id
- 6a5665a177561cba872b779e
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://ethereum-rpc.publicnode.com | — | |
urlhttp://85.137.53.71:8080/api/v1/beacon | — | |
urlhttp://85.137.53.71:8080/api/v1/file-result | — | |
urlhttp://85.137.53.71:8080/api/v1/file-content/ | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash34014776d3d3ff11bc4439b02fd7ac0f02a887eb3a052eeafff236e2f6db8ad1 | — | |
hash082d733db0687dcd768104972b065d4b58cb1e6043688c6c20fa3702337f36ab | — | |
hashbfaeb987faa6de2b5a5eb63b1233d055215b09b0349a9394f2175fd7cdf385e4 | — | |
hash9b2e65db653ca8575c9b10eefb9a80c6006404812c2ec212bf5675e3c690233b | — | |
hashd425e4583cc6185d41e95c45eda00550045a5d1919b9a012236a4520d009dbd7 | — | |
hash6e78713b75bd34828d49896176627f7face7aa9036cd874f2e02d9f23a9a9c71 | — | |
hashb270bdf8e2274ea1af0a6eed74d8f10e5fe61012d6cc226a43cc7cc7fd9f6292 | — | |
hashb9993a8ad0518849416798cf29668256ccb96598fc4423501ccab5312812653a | — | |
hash8351d251cf0b5a0bd82242deaa0a14e3e1394418d55c0f4259dac4303b79fc0c | — | |
hash550af477c12192a22f5c9edb9c8081c0a789b3a1a2992a7ecb157cca1c975e10 | — | |
hash24b9ee242f21a73b55f7bb3297eafb33c60840907386b542ed79fc6b72365168 | — | |
hash9e214f38537e69bf51c7fa1ddd35ae495e9cb897231ec010baf9e4f29407ee9a | — | |
hash9f1a709310824f9110c6203d861a721ebefba8b204a8657057fe57efb961c850 | — | |
hash3eab3ec9304aa26081358330491d3cfeb55cc245 | — |
Threat ID: 6a56764468715ace43f031bf
Added to database: 07/14/2026, 17:47:48 UTC
Last enriched: 07/15/2026, 00:49:22 UTC
Last updated: 07/15/2026, 00:49:22 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.