Home / Companies / Socket / Blog / Post Details
Content Deep Dive

Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader

Blog post from Socket

Post Details
Company
Date Published
Author
Socket Research Team
Word Count
2,318
Company Posts That Month
11
Language
English
Hacker News Points
-
Post removed?
No
Summary

Socket's Threat Research Team discovered a security breach involving four npm packages within the @asyncapi namespace, which were found to distribute a multi-stage botnet loader. These compromised packages, identified as containing malware, deliver an obfuscated initial payload that downloads an encrypted secondary payload, named Miasma, from IPFS. The attack strategy involves a JavaScript implant that activates when the module is loaded in Node.js, executing a hidden background process to fetch a larger payload. The malicious versions were published through GitHub Actions using a compromised source commit, highlighting vulnerabilities in the trusted-publishing process. The final payload, a Miasma-family tasking framework, includes REST-based command and control (C2) functionalities and various modules for data collection and propagation while leveraging IPFS for off-registry payload delivery, allowing threat actors to update or remove payloads without republishing. Users are advised to avoid affected versions, upgrade to patched releases, and inspect their environments for potential compromises, given the sophisticated nature of the malware and its persistence mechanisms across different operating systems.

Trends Found in this Post

No tracked trend matches for this post yet.

Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.