Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader

0
Medium
Published: 07/14/2026 (07/14/2026, 16:36:49 UTC)
Source: AlienVault OTX General

Description

Four npm packages in the AsyncAPI namespace were compromised to distribute the Miasma botnet loader. The attack used trusted GitHub Actions publishing but originated from a poisoned source commit. Malicious code injected into legitimate source files executes upon import, launching a detached Node.js process that downloads an encrypted payload from IPFS. The payload is a sophisticated tasking framework supporting multiple command-and-control channels such as REST, Nostr relays, IPFS, Ethereum smart contracts, and BitTorrent DHT. It establishes persistence on Linux via systemd services and fake NodeJS directories. The framework supports file operations, shell execution, data collection, and propagation across npm, PyPI, RubyGems, and Cargo ecosystems.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/15/2026, 00:49:22 UTC

Technical Analysis

This threat involves a supply chain compromise of four npm packages within the AsyncAPI namespace. Attackers injected malicious code into legitimate source files via a poisoned source commit, abusing trusted GitHub Actions publishing workflows. When these packages are imported, the malicious code launches a detached Node.js process that downloads an 8.25 MB encrypted payload from IPFS. The final payload is a multi-stage botnet loader named Miasma, which implements a sophisticated tasking framework with multiple command-and-control channels including REST APIs, Nostr relays, IPFS, Ethereum smart contracts, and BitTorrent DHT. It achieves persistence on Linux systems through systemd services and fake NodeJS directories. The framework enables a wide range of malicious activities including file operations, shell command execution, data collection, and cross-ecosystem propagation targeting multiple package ecosystems beyond npm, such as PyPI, RubyGems, and Cargo.

Potential Impact

The compromise allows attackers to execute arbitrary code on systems that import the affected npm packages, potentially leading to system takeover. The Miasma botnet loader supports multiple command-and-control channels, enabling resilient and flexible attacker control. Persistence mechanisms on Linux systems increase the difficulty of removal. The cross-ecosystem propagation capability increases the risk of widespread infection across multiple development environments and package managers. This can result in unauthorized data access, system manipulation, and further malware distribution.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should avoid using the compromised AsyncAPI npm packages until official guidance or patches are released. Review and verify the integrity of dependencies, especially those from the AsyncAPI namespace. Monitor for unusual Node.js processes and systemd services indicative of Miasma persistence. Consider scanning development environments and build pipelines for signs of compromise. Follow updates from AsyncAPI maintainers and trusted security sources for remediation steps.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://socket.dev/blog/asyncapi-supply-chain-attack"]
Adversary
null
Pulse Id
6a5665a177561cba872b779e
Threat Score
null

Indicators of Compromise

Url

ValueDescriptionCopy
urlhttps://ethereum-rpc.publicnode.com
urlhttp://85.137.53.71:8080/api/v1/beacon
urlhttp://85.137.53.71:8080/api/v1/file-result
urlhttp://85.137.53.71:8080/api/v1/file-content/

Hash

ValueDescriptionCopy
hash34014776d3d3ff11bc4439b02fd7ac0f02a887eb3a052eeafff236e2f6db8ad1
hash082d733db0687dcd768104972b065d4b58cb1e6043688c6c20fa3702337f36ab
hashbfaeb987faa6de2b5a5eb63b1233d055215b09b0349a9394f2175fd7cdf385e4
hash9b2e65db653ca8575c9b10eefb9a80c6006404812c2ec212bf5675e3c690233b
hashd425e4583cc6185d41e95c45eda00550045a5d1919b9a012236a4520d009dbd7
hash6e78713b75bd34828d49896176627f7face7aa9036cd874f2e02d9f23a9a9c71
hashb270bdf8e2274ea1af0a6eed74d8f10e5fe61012d6cc226a43cc7cc7fd9f6292
hashb9993a8ad0518849416798cf29668256ccb96598fc4423501ccab5312812653a
hash8351d251cf0b5a0bd82242deaa0a14e3e1394418d55c0f4259dac4303b79fc0c
hash550af477c12192a22f5c9edb9c8081c0a789b3a1a2992a7ecb157cca1c975e10
hash24b9ee242f21a73b55f7bb3297eafb33c60840907386b542ed79fc6b72365168
hash9e214f38537e69bf51c7fa1ddd35ae495e9cb897231ec010baf9e4f29407ee9a
hash9f1a709310824f9110c6203d861a721ebefba8b204a8657057fe57efb961c850
hash3eab3ec9304aa26081358330491d3cfeb55cc245

Threat ID: 6a56764468715ace43f031bf

Added to database: 07/14/2026, 17:47:48 UTC

Last enriched: 07/15/2026, 00:49:22 UTC

Last updated: 07/15/2026, 00:49:22 UTC

Views: 9

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses