[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSqUA5eoiCKdzqWjKfVTkmtTJw9c0LhgSnZWL8WlosyA":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":30,"category":31,"article_tags":35},"58f8b1b9-9d40-478f-9c84-01f020ede9c0","Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader","compromised-npm-packages-in-the-asyncapi-namespace-deliver-miasma-botnet-loader-103495","Socket's Threat Research Team identified three compromised npm packages in the @asyncapi namespace distributing a multi-stage botnet loader. The affected packages are @asyncapi\u002Fgenerator-helpers(v1.1.1), @asyncapi\u002Fgenerator-components(v0.7.1), and @asyncapi\u002Fgenerator(v3.3.1). Based on current analysis, the compromised packages deploy an obfuscated first-stage payload that downloads an encrypted second-stage payload, identified as Miasma, from IPFS. Users should avoid affected versions, upgrade to patched releases when available, and review developer and CI environments for signs of compromise. Socket AI Scanner’s analysis of @asyncapi\u002Fgenerator-helpers1.1.1, one of the malicious packages identified in the current Miasma wave, flags the compromised release as confirmed malware. Technical Analysis # The affected AsyncAPI packages are used in tooling workflows that generate API documentation and client code from AsyncAPI definitions. Because these packages may be imported during normal development or CI execution, the malicious payload does not require a separate install hook to run. Current analysis indicates: The first-stage payload was injected into src\u002Futils.js. The payload is hidden behind a large block of leading whitespace between legitimate utility functions. The code executes at require() time. Stage 1 launches a detached Node.js child process. That process downloads a second-stage payload from IPFS. The second stage persists as sync.js in platform-specific directories disguised as NodeJS. \u002F\u002F Analyst note: Obfuscated first-stage dropper, triggered when the package is required. const { spawn } = require('child_process'); spawn('node', ['-e', downloadStage2Code], { detached: true, stdio: 'ignore', windowsHide: true }).unref(); The observed IPFS target is: hxxps:\u002F\u002Fipfs[.]io\u002Fipfs\u002FQmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9 The second-stage payload persists to: macOS: ~\u002FLibrary\u002FApplication Support\u002FNodeJS\u002Fsync.js Linux: ~\u002F.local\u002Fshare\u002FNodeJS\u002Fsync.js Windows: %LOCALAPPDATA%\\NodeJS\\sync.js We are still analyzing the payload but the current findings indicate the decrypted second-stage payload is a botnet framework with capabilities for shell command execution, file operations, credential harvesting, evasion checks, persistence, and multi-protocol command and control. Recommendations # Users should immediately check whether they installed @asyncapi\u002Fgenerator-helpers, @asyncapi\u002Fgenerator-components, or @asyncapi\u002Fgenerator during the affected window. Rotate credentials exposed to systems where these packages were installed, especially npm tokens, GitHub tokens, cloud credentials, SSH keys, and CI secrets. Security teams should monitor for Node.js processes spawning detached child processes, network connections to 85[.]137[.]53[.]71, and unexpected modifications under .claude, .vscode, .cursorrules, ~\u002F.local\u002Fshare\u002FNodeJS, or ~\u002FLibrary\u002FApplication Support\u002FNodeJS. This is an ongoing investigation and we will update findings as the investigation develops.","Three npm packages within the @asyncapi namespace have been compromised, distributing a multi-stage botnet loader known as Miasma. The malicious code is injected into utility functions and executes upon package import, downloading an encrypted second-stage payload from IPFS. The botnet exhibits capabilities for command execution, file operations, credential harvesting, and multi-protocol C2.","Compromised npm packages in the @asyncapi namespace distribute Miasma botnet loader.","Research\u002FSecurity Newsjscrambler npm Package Compromised in Supply Chain AttackA compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.By Socket Research Team - Jul 11, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fasyncapi-supply-chain-attack?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002Fddf8b456a4efe14ec9318dd3af5de58842e4b9f9-2468x780.png?w=1000&q=95&fit=max&auto=format","2026-07-14T08:20:00+00:00","2026-07-14T10:00:21.799096+00:00",9,[18,21,23,25,28],{"name":19,"type":20},"@asyncapi\u002Fgenerator-helpers","product",{"name":22,"type":20},"@asyncapi\u002Fgenerator-components",{"name":24,"type":20},"@asyncapi\u002Fgenerator",{"name":26,"type":27},"npm","technology",{"name":29,"type":27},"IPFS","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":30,"icon":32,"name":33,"slug":34},null,"Supply Chain","supply-chain",[36,38,43,48],{"category":37},{"id":30,"icon":32,"name":33,"slug":34},{"category":39},{"id":40,"icon":32,"name":41,"slug":42},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":44},{"id":45,"icon":32,"name":46,"slug":47},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":49},{"id":50,"icon":32,"name":51,"slug":52},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[54,58,62],{"type":55,"value":56,"context":57},"url","https:\u002F\u002Fipfs[.]io\u002Fipfs\u002FQmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9","IPFS URL for second-stage payload download",{"type":59,"value":60,"context":61},"ip","85[.]137[.]53[.]71","Network connection target for monitoring",{"type":42,"value":63,"context":64},"Miasma","Name of the botnet loader"]