{"slug": "compromised-npm-packages-in-the-asyncapi-namespace-deliver-miasma-botnet-loader", "title": "Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader", "summary": "Compromised npm packages in the AsyncAPI namespace deliver the Miasma botnet loader, deploying an obfuscated first-stage payload that downloads an encrypted second-stage payload from IPFS. The affected packages, including @asyncapi/generator-helpers, are used in tooling workflows and execute malicious code at require() time, leading to a botnet framework with capabilities for shell command execution, credential harvesting, and persistence. Users are urged to check for affected versions, rotate exposed credentials, and monitor for indicators of compromise.", "body_md": "Based on current analysis, the compromised packages deploy an obfuscated first-stage payload that downloads an encrypted second-stage payload, identified as Miasma, from IPFS. Users should avoid affected versions, upgrade to patched releases when available, and review developer and CI environments for signs of compromise.\n\nSocket AI Scanner’s analysis of @asyncapi/generator-helpers1.1.1, one of the malicious packages identified in the current Miasma wave, flags the compromised release as confirmed malware.\n\nThe affected AsyncAPI packages are used in tooling workflows that generate API documentation and client code from AsyncAPI definitions. Because these packages may be imported during normal development or CI execution, the malicious payload does not require a separate install hook to run.\n\nCurrent analysis indicates:\n\nThe first-stage payload was injected into src/utils.js.\n\nThe payload is hidden behind a large block of leading whitespace between legitimate utility functions.\n\nThe code executes at require() time.\n\nStage 1 launches a detached Node.js child process.\n\nThat process downloads a second-stage payload from IPFS.\n\nThe second stage persists as sync.js in platform-specific directories disguised as NodeJS.\n\nWe are still analyzing the payload but the current findings indicate the decrypted second-stage payload is a botnet framework with capabilities for shell command execution, file operations, credential harvesting, evasion checks, persistence, and multi-protocol command and control.\n\nUsers should immediately check whether they installed @asyncapi/generator-helpers, @asyncapi/generator-components, or @asyncapi/generator during the affected window. Rotate credentials exposed to systems where these packages were installed, especially npm tokens, GitHub tokens, cloud credentials, SSH keys, and CI secrets.\n\nSecurity teams should monitor for Node.js processes spawning detached child processes, network connections to 85[.]137[.]53[.]71, and unexpected modifications under .claude, .vscode, .cursorrules, ~/.local/share/NodeJS, or ~/Library/Application Support/NodeJS.\n\nThis is an ongoing investigation and we will update findings as the investigation develops.\n\nSecure your dependencies with us\n\nSocket proactively blocks malicious open source packages in your code.", "url": "https://wpnews.pro/news/compromised-npm-packages-in-the-asyncapi-namespace-deliver-miasma-botnet-loader", "canonical_source": "https://socket.dev/blog/asyncapi-supply-chain-attack?utm_medium=feed", "published_at": "2026-07-14 08:20:00+00:00", "updated_at": "2026-07-14 09:08:06.040816+00:00", "lang": "en", "topics": ["developer-tools", "ai-tools", "ai-safety"], "entities": ["AsyncAPI", "Socket AI Scanner", "Miasma", "npm", "IPFS", "Node.js"], "alternates": {"html": "https://wpnews.pro/news/compromised-npm-packages-in-the-asyncapi-namespace-deliver-miasma-botnet-loader", "markdown": "https://wpnews.pro/news/compromised-npm-packages-in-the-asyncapi-namespace-deliver-miasma-botnet-loader.md", "text": "https://wpnews.pro/news/compromised-npm-packages-in-the-asyncapi-namespace-deliver-miasma-botnet-loader.txt", "jsonld": "https://wpnews.pro/news/compromised-npm-packages-in-the-asyncapi-namespace-deliver-miasma-botnet-loader.jsonld"}}