Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader
Blog post from Socket
Socket's Threat Research Team discovered a security breach involving four npm packages within the @asyncapi namespace, which were found to distribute a multi-stage botnet loader. These compromised packages, identified as containing malware, deliver an obfuscated initial payload that downloads an encrypted secondary payload, named Miasma, from IPFS. The attack strategy involves a JavaScript implant that activates when the module is loaded in Node.js, executing a hidden background process to fetch a larger payload. The malicious versions were published through GitHub Actions using a compromised source commit, highlighting vulnerabilities in the trusted-publishing process. The final payload, a Miasma-family tasking framework, includes REST-based command and control (C2) functionalities and various modules for data collection and propagation while leveraging IPFS for off-registry payload delivery, allowing threat actors to update or remove payloads without republishing. Users are advised to avoid affected versions, upgrade to patched releases, and inspect their environments for potential compromises, given the sophisticated nature of the malware and its persistence mechanisms across different operating systems.
No tracked trend matches for this post yet.
Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.