Close Menu
    What's Hot

    Senator Mark Kelly Amasses Nearly $25 Million Campaign War Chest

    How to Solve the Hormuz Dispute Between the United States and Iran

    Maine Democrats grapple with who is best to take over Graham Platner’s movement

    Facebook X (Twitter) Instagram
    Trending
    • Senator Mark Kelly Amasses Nearly $25 Million Campaign War Chest
    • How to Solve the Hormuz Dispute Between the United States and Iran
    • Maine Democrats grapple with who is best to take over Graham Platner’s movement
    • U.S. Presses China to Free American Seismologist Accused of Spying
    • Nations Championship: England rugby players to avoid wearing national shirts in Argentina as football counterparts face off at World Cup | Rugby Union News
    • Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware
    • He Has a $25 Million Bounty on His Head, But Is Also a U.S. Partner in Venezuela.
    • Travel Tips: How to Wait in Line (and Keep Your Cool)
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware

    adminBy adminJuly 15, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware

    Four compromised npm packages in the @asyncapi namespace have been observed distributing a multi-stage botnet loader, according to findings from OX Security, SafeDep, Socket, and StepSecurity.

    The affected packages are listed below –

    • @asyncapi/generator-helpers@1.1.1
    • @asyncapi/generator-components@0.7.1
    • @asyncapi/generator@3.3.1
    • @asyncapi/specs(v6.11.2, v6.11.2-alpha.1)

    “The compromised packages deploy an obfuscated first-stage payload that downloads an encrypted second-stage payload, identified as Miasma, from IPFS,” Socket said.

    The poisoned packages ship a hidden JavaScript implant, with each of them containing an injected source file that decodes to the same second-stage downloader. Unlike previous iterations that leveraged install hooks to trigger the execution of a JavaScript payload, the malicious code in this case is run when the infected module is loaded by Node.js, after which it launches a detached background node that downloads and executes the malware from IPFS.

    Cybersecurity

    The next-stage payload is an encrypted JavaScript loader named “sync.js,” which is written to operating system-specific paths and executed. The downloader URL is “ipfs[.]io/ipfs/QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9.” The loader contains two components –

    • The encrypted final JavaScript payload, which decodes to the Miasma tasking framework
    • A large encrypted blob used by the runtime’s spawn-chain framework

    The framework bundles 744 modules and is built as a command framework that supports six independent command-and-control (C2) communication channels using HTTP, Nostr relay, IPFS, BitTorrent DHT, libp2p GossipSub P2P mesh, and an Ethereum smart contract.

    Besides facilitating credential theft, AI tool poisoning, LAN lateral movement, and worm-like propagation on npm, PyPI, and Cargo registries, Miasma features a persistence mechanism of its own, setting up a systemd, crontab, macOS launchd, and Windows Registry autostart keys.

    “Although the malware has some similarities to the Shai-Hulud and Miasma campaigns, and it contains the Miasma string multiple times inside its code, this malware isn’t the same as them, nor is it attributed to the Miasma/Shai-Hulud/TeamPCP campaigns that we’ve seen in the past,” OX Security’s Moshe Siman Tov Bustan said.

    Furthermore, it incorporates a dead man’s switch that monitors a stolen token and triggers a directory wipe if the token is revoked, while avoiding systems identified as sandboxes or virtual environments, as well as those that have their current language set to Russian or have security tools from CrowdStrike, SentinelOne, Microsoft Defender, CarbonBlack, Cylance, Osquery, Tanium, and Qualys installed.

    Cybersecurity

    “Its clearest operational path is REST-based C2: the implant beacons to an HTTP endpoint, accepts encrypted tasking, and posts command results back to the same infrastructure. Around that core, the payload also carries support for upload transport, command ciphering, node signing, payload updates, file management, shell execution, and persistence writing.”

    According to StepSecurity, the attacker is said to have gained push access to the repositories and used the project’s own legitimate GitHub Actions release pipeline to publish packages with valid OIDC provenance attestations. The supply chain attack did not involve the theft of an npm token.

    “Both attacks are CI/CD pipeline compromises, not stolen npm tokens or malicious maintainers,” security researcher Rohan Prabhu said. “The attacker pushed commits under a placeholder git identity and let each repository’s real release workflow do the publishing via npm’s GitHub OIDC trusted-publisher integration.”

    “The resulting packages carry legitimate SLSA provenance attestations, proving only that the project’s authorized workflow produced them, not that the triggering commits were legitimate. Provenance does not protect against a compromised push credential.”

    All five malicious versions have since been unpublished from the npm registry. It’s advised to treat any endpoint that imported or executed one of the affected package versions as potentially compromised. However, it bears noting that exposure depends on whether the infected module was loaded as part of a build or a developer workflow.

    “There is no preinstall/postinstall/install script anywhere in any of the three package.json files,” StepSecurity said. “This dropper fires when the poisoned module is require()d during normal use of the generator: the moment a build or CI job actually calls into the library, not at npm install time.”

    AsyncAPI Botnet Compromised Deliver Malware MultiStage npm Packages
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleHe Has a $25 Million Bounty on His Head, But Is Also a U.S. Partner in Venezuela.
    Next Article Nations Championship: England rugby players to avoid wearing national shirts in Argentina as football counterparts face off at World Cup | Rugby Union News
    admin
    • Website

    Related Posts

    Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commands

    July 15, 2026

    OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials

    July 15, 2026

    How Pentera Turns AI Security Workflows into Validation Engines

    July 15, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Senator Mark Kelly Amasses Nearly $25 Million Campaign War Chest

    How to Solve the Hormuz Dispute Between the United States and Iran

    Maine Democrats grapple with who is best to take over Graham Platner’s movement

    U.S. Presses China to Free American Seismologist Accused of Spying

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by