# Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader

> Source: <https://socket.dev/blog/asyncapi-supply-chain-attack?utm_medium=feed>
> Published: 2026-07-14 08:20:00+00:00

Based on current analysis, the compromised packages deploy an obfuscated first-stage payload that downloads an encrypted second-stage payload, identified as Miasma, from IPFS. Users should avoid affected versions, upgrade to patched releases when available, and review developer and CI environments for signs of compromise.

Socket AI Scanner’s analysis of @asyncapi/generator-helpers1.1.1, one of the malicious packages identified in the current Miasma wave, flags the compromised release as confirmed malware.

The affected AsyncAPI packages are used in tooling workflows that generate API documentation and client code from AsyncAPI definitions. Because these packages may be imported during normal development or CI execution, the malicious payload does not require a separate install hook to run.

Current analysis indicates:

The first-stage payload was injected into src/utils.js.

The payload is hidden behind a large block of leading whitespace between legitimate utility functions.

The code executes at require() time.

Stage 1 launches a detached Node.js child process.

That process downloads a second-stage payload from IPFS.

The second stage persists as sync.js in platform-specific directories disguised as NodeJS.

We are still analyzing the payload but the current findings indicate the decrypted second-stage payload is a botnet framework with capabilities for shell command execution, file operations, credential harvesting, evasion checks, persistence, and multi-protocol command and control.

Users should immediately check whether they installed @asyncapi/generator-helpers, @asyncapi/generator-components, or @asyncapi/generator during the affected window. Rotate credentials exposed to systems where these packages were installed, especially npm tokens, GitHub tokens, cloud credentials, SSH keys, and CI secrets.

Security teams should monitor for Node.js processes spawning detached child processes, network connections to 85[.]137[.]53[.]71, and unexpected modifications under .claude, .vscode, .cursorrules, ~/.local/share/NodeJS, or ~/Library/Application Support/NodeJS.

This is an ongoing investigation and we will update findings as the investigation develops.

Secure your dependencies with us

Socket proactively blocks malicious open source packages in your code.
