Active Exploitation Alert: AsyncAPI npm Supply Chain Attack Delivers Multi-Stage Miasma Botnet via Compromised GitHub Actions

Active Exploitation Alert: AsyncAPI npm Supply Chain Attack Delivers Multi-Stage Miasma Botnet via Compromised GitHub Actions

Executive Summary

In July 2026, a highly sophisticated supply chain attack targeted the AsyncAPI open-source ecosystem, resulting in the compromise of several widely used npm packages. Attackers injected a multi-stage malware loader into trusted @asyncapi packages, ultimately deploying the advanced Miasma botnet framework across macOS, Linux, and Windows environments. The attack leveraged trusted publishing via GitHub Actions, bypassing traditional npm lifecycle script defenses and exploiting the CI/CD pipeline. This incident underscores the growing threat posed by software supply chain attacks, particularly those that exploit automated release workflows and trusted open-source dependencies. Organizations using affected AsyncAPI packages are at risk of persistent compromise, data exfiltration, and lateral movement within their environments.

Threat Actor Profile

The campaign is attributed to an as-yet unidentified threat actor with advanced capabilities in software supply chain manipulation and malware development. The actor demonstrated a deep understanding of the AsyncAPI development and release process, leveraging a malicious commit to the next branch of the official AsyncAPI GitHub repository. The attacker utilized GitHub Actions for trusted publishing, ensuring that the malicious packages appeared legitimate and were cryptographically signed by npm. The malware deployed, known as Miasma (and related to the "Mini Shai-Hulud" family), exhibits advanced persistence, multi-platform compatibility, and multi-channel command-and-control (C2) capabilities. No direct links to known Advanced Persistent Threat (APT) groups have been established, but the operational security and sophistication suggest a well-resourced adversary.

Technical Analysis of Malware/TTPs

The attack chain is notable for its multi-stage architecture, stealthy execution, and resilience against common detection mechanisms.

Initial Compromise and Delivery: The attacker injected obfuscated JavaScript implants into key source files within the AsyncAPI codebase. These implants were included in the following npm packages and versions: @asyncapi/generator-helpers@1.1.1, @asyncapi/generator-components@0.7.1, @asyncapi/generator@3.3.1, @asyncapi/specs@6.11.2, and @asyncapi/specs@6.11.2-alpha.1. The malicious code was published to npm via GitHub Actions using trusted publishing, which cryptographically attested to the provenance of the release.

Execution Flow: Unlike typical npm malware, the implants did not use install-time hooks such as preinstall or postinstall. Instead, the payload executed when the infected module was loaded by Node.js—for example, during build, CLI, or test execution. This approach evaded many static and behavioral detection mechanisms.

Stage 1 – Primary Implant: Upon module load, the obfuscated JavaScript spawned a detached Node.js process to execute the next stage, minimizing its footprint in the parent process.

Stage 2 – IPFS Downloader: The secondary payload downloaded an encrypted JavaScript file, sync.js, from the InterPlanetary File System (IPFS) at hxxps://ipfs[.]io/ipfs/QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9. The downloader saved sync.js to platform-specific directories, such as %LOCALAPPDATA%\NodeJS\sync.js on Windows, and executed it in the background.

Stage 3 – Encrypted Loader: The sync.js file, approximately 8.25 MB in size, acted as a loader. It decrypted and executed the final payload using HKDF-SHA256 and AES-256-GCM cryptographic primitives. The decrypted payload was a 3.09 MB binary implementing the Miasma botnet framework.

Final Payload – Miasma Botnet Framework: The Miasma framework is a modular, cross-platform botnet with the following capabilities: REST-based C2 communication, file management (list, get, put, delete), shell command execution, payload updates, and persistence via systemd user services on Linux. It supports multi-channel C2, including Nostr (a decentralized messaging protocol), IPFS, Ethereum blockchain, BitTorrent DHT, and mDNS. Persistence is achieved by writing a systemd user service (miasma-monitor.service) and dropping files in hidden directories such as .config/.miasma and .cache/mesa_shader_cache.

Indicators of Compromise (IOCs): Malicious npm packages and their SHA-256 tarball hashes include @asyncapi/generator-helpers@1.1.1 (34014776d3d3ff11bc4439b02fd7ac0f02a887eb3a052eeafff236e2f6db8ad1), @asyncapi/generator-components@0.7.1 (082d733db0687dcd768104972b065d4b58cb1e6043688c6c20fa3702337f36ab), @asyncapi/generator@3.3.1 (bfaeb987faa6de2b5a5eb63b1233d055215b09b0349a9394f2175fd7cdf385e4), @asyncapi/specs@6.11.2 (9b2e65db653ca8575c9b10eefb9a80c6006404812c2ec212bf5675e3c690233b), and @asyncapi/specs@6.11.2-alpha.1 (d425e4583cc6185d41e95c45eda00550045a5d1919b9a012236a4520d009dbd7). Infected source files include src/utils.js, lib/utils/ErrorHandling.js, lib/templates/config/validator.js, and index.js. Network indicators include connections to IPFS, C2 servers at 85.137.53.71:8080, 85.137.53.71:8081, and 85.137.53.71:8091, Nostr relays at relay.damus.io and relay.nostr.com, Ethereum RPC at ethereum-rpc.publicnode.com, and BitTorrent DHT nodes at router.bittorrent.com:6881 and dht.transmissionbt.com:6881. Persistence and runtime paths include %LOCALAPPDATA%\NodeJS\sync.js, ~/Library/Application Support/NodeJS/sync.js, ~/.local/share/NodeJS/sync.js, ~/.config/node/sync.js, ~/.config/.miasma/run/node.lock, ~/.cache/mesa_shader_cache/gl_cache.bin, and ~/.config/systemd/user/miasma-monitor.service.

MITRE ATT&CK Mapping: The attack aligns with the following MITRE ATT&CK techniques: T1195.002 (Compromise Software Supply Chain), T1059.007 (JavaScript Execution), T1105 (Ingress Tool Transfer), T1027 (Obfuscated Files or Information), T1564.001 (Hidden Files and Directories), T1543.002 (Systemd Service), T1059.004 (Unix Shell), T1041 (Exfiltration Over C2 Channel), and T1102 (Web Service).

Exploitation in the Wild

The attack was observed in the wild, particularly in CI/CD environments where AsyncAPI packages are commonly used. The use of GitHub Actions for trusted publishing meant that the malicious packages were cryptographically signed and appeared legitimate to both automated and manual reviewers. The attack vector exploited the automated release pipeline, allowing the malware to propagate rapidly to downstream consumers. At the time of analysis, the C2 infrastructure and IPFS payloads remained active, indicating ongoing exploitation. There is no evidence of targeting specific organizations or geographies; the attack appears opportunistic, aiming to compromise as many systems as possible via the popular AsyncAPI ecosystem.

Victimology and Targeting

The primary victims are organizations and individuals who installed or executed the compromised AsyncAPI npm packages between July 14, 2026, and the subsequent remediation window. This includes software development teams, CI/CD pipelines, open-source consumers, and any environment where the affected packages were integrated. The attack is global in scope, with no evidence of targeting specific sectors or countries. However, the greatest risk is to organizations with automated build and deployment systems, as these environments are more likely to execute package code in privileged contexts, increasing the potential for lateral movement and persistent compromise.

Mitigation and Countermeasures

Immediate action is required for any organization that may have consumed the affected AsyncAPI packages. All instances of the compromised package versions must be removed and replaced with clean releases. Comprehensive audits should be conducted on all systems and CI/CD runners that imported or executed the compromised packages. This includes searching for persistence artifacts such as sync.js, .miasma, and miasma-monitor.service, as well as reviewing logs for suspicious Node.js child processes and outbound connections to IPFS gateways, C2 servers, and Nostr relays. Credentials and secrets exposed to affected environments should be rotated immediately.

Detection strategies should focus on monitoring for Node.js child processes spawned from package code (e.g., node -e), outbound requests to IPFS gateways, creation of suspicious files and systemd services, and connections to the listed C2 infrastructure. Endpoint Detection and Response (EDR) solutions should be configured to alert on these behaviors. Network segmentation and least-privilege principles should be enforced to limit the blast radius of any potential compromise.

Long-term, organizations should review their software supply chain security posture, including the use of trusted publishing, automated release workflows, and dependency management. Implementing tools for software composition analysis, provenance verification, and continuous monitoring of open-source dependencies is critical to reducing exposure to similar attacks in the future.

References

Socket.dev: AsyncAPI Supply Chain Attack Analysis AsyncAPI: Shai-Hulud Postmortem LinkedIn: A security expert's analysis of the AsyncAPI attack daily.dev: AsyncAPI npm packages backdoored MITRE ATT&CK: Techniques NVD: [CVE-2026-XXXX] (pending assignment) Mallory.ai: Threat Story Socket.dev: IOC List AsyncAPI: Security Updates

About Rescana

Rescana is a leader in Third-Party Risk Management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats in real time. For more information about how Rescana can help secure your organization’s software supply chain, or for any questions regarding this advisory, please contact us at info@rescana.com.