cd /news/developer-tools/compromised-npm-packages-in-the-asyn… · home topics developer-tools article
[ARTICLE · art-58583] src=socket.dev ↗ pub= topic=developer-tools verified=true sentiment=↓ negative

Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader

Compromised npm packages in the AsyncAPI namespace deliver the Miasma botnet loader, deploying an obfuscated first-stage payload that downloads an encrypted second-stage payload from IPFS. The affected packages, including @asyncapi/generator-helpers, are used in tooling workflows and execute malicious code at require() time, leading to a botnet framework with capabilities for shell command execution, credential harvesting, and persistence. Users are urged to check for affected versions, rotate exposed credentials, and monitor for indicators of compromise.

read1 min views1 publishedJul 14, 2026
Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader
Image: Socket (auto-discovered)

Based on current analysis, the compromised packages deploy an obfuscated first-stage payload that downloads an encrypted second-stage payload, identified as Miasma, from IPFS. Users should avoid affected versions, upgrade to patched releases when available, and review developer and CI environments for signs of compromise.

Socket AI Scanner’s analysis of @asyncapi/generator-helpers1.1.1, one of the malicious packages identified in the current Miasma wave, flags the compromised release as confirmed malware.

The affected AsyncAPI packages are used in tooling workflows that generate API documentation and client code from AsyncAPI definitions. Because these packages may be imported during normal development or CI execution, the malicious payload does not require a separate install hook to run.

Current analysis indicates:

The first-stage payload was injected into src/utils.js.

The payload is hidden behind a large block of leading whitespace between legitimate utility functions.

The code executes at require() time. Stage 1 launches a detached Node.js child process.

That process downloads a second-stage payload from IPFS.

The second stage persists as sync.js in platform-specific directories disguised as NodeJS.

We are still analyzing the payload but the current findings indicate the decrypted second-stage payload is a botnet framework with capabilities for shell command execution, file operations, credential harvesting, evasion checks, persistence, and multi-protocol command and control.

Users should immediately check whether they installed @asyncapi/generator-helpers, @asyncapi/generator-components, or @asyncapi/generator during the affected window. Rotate credentials exposed to systems where these packages were installed, especially npm tokens, GitHub tokens, cloud credentials, SSH keys, and CI secrets.

Security teams should monitor for Node.js processes spawning detached child processes, network connections to 85[.]137[.]53[.]71, and unexpected modifications under .claude, .vscode, .cursorrules, ~/.local/share/NodeJS, or ~/Library/Application Support/NodeJS.

This is an ongoing investigation and we will update findings as the investigation develops.

Secure your dependencies with us

Socket proactively blocks malicious open source packages in your code.

── more in #developer-tools 4 stories · sorted by recency
── more on @asyncapi 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/compromised-npm-pack…] indexed:0 read:1min 2026-07-14 ·