Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader

Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader
Socket’s Threat Research Team found four compromised AsyncAPI npm packages in the @asyncapi namespace that deliver a multi-stage loader leading to the Miasma payload from IPFS. The malicious releases were published through trusted publishing via GitHub Actions, but the poisoned source commit already contained the implant and the final framework includes persistence, REST C2, and multiple fallback channels. #AsyncAPI #Miasma #GitHubActions #IPFS

Keypoints

  • Four compromised npm packages were identified in the @asyncapi namespace: @asyncapi/generator-helpers, @asyncapi/generator-components, @asyncapi/generator, and @asyncapi/specs.
  • The affected versions contain an injected JavaScript implant that loads when the module is imported by Node.js, not via npm lifecycle scripts.
  • The first-stage code launches a detached hidden Node.js process that downloads a second-stage payload from IPFS.
  • The IPFS-delivered payload is an encrypted loader named sync.js that decrypts and executes the final Miasma framework.
  • The final payload includes REST-based C2, file management, shell execution, beacon updates, and persistence features such as a Linux systemd user service.
  • The malicious packages were published through GitHub Actions trusted publishing, but the source commit already contained the implant, indicating compromise of the source or release path.
  • Defenders are advised to treat systems that imported affected versions as potentially compromised and to monitor for Node.js child processes, IPFS traffic, and miasma-named artifacts.

MITRE Techniques

  • [T1195.002] Compromise Software Supply Chain – The attacker poisoned legitimate package code and released it through npm trusted publishing (‘a pushed commit on next was built and published by the trusted-publishing workflow’).
  • [T1059.007] JavaScript – The malware is implemented as injected JavaScript that runs when the infected module is loaded (‘a hidden JavaScript implant’ and ‘the real code runs at module load time’).
  • [T1105] Ingress Tool Transfer – The implant downloads a second-stage payload and later fetches sync.js from IPFS (‘downloads an encrypted second-stage payload’ and ‘retrieves sync.js from IPFS’).
  • [T1027] Obfuscated Files or Information – The first-stage implant is heavily obfuscated with encoded strings and decoder logic (‘Hex-like function and variable names’ and ‘a string table containing base64-encoded entries’).
  • [T1564.001] Hidden Files and Directories – The payload stores data in disguised application-data and hidden runtime paths (‘writes it into a directory disguised as Node.js runtime state’ and ‘Writes under .config/.miasma’).
  • [T1543.002] Systemd Service – The payload attempts persistence via a Linux systemd user service (‘it wrote a systemd user unit’ and ‘miasma-monitor.service’).
  • [T1059.004] Unix Shell – The final payload supports shell execution as part of its tasking framework (‘ShellExec’ and ‘Safe command exercise confirmed working handlers for … shell execution’).
  • [T1041] Exfiltration Over C2 Channel – The framework posts command results back over its C2 infrastructure (‘accepts encrypted tasking, and posts command results back to the same infrastructure’).
  • [T1102] Web Service – The operator uses web services such as HTTP APIs, IPFS gateways, and REST endpoints for delivery and control (‘REST-based C2’, ‘IPFS gateway’, and ‘/api/v1/beacon’).

Indicators of Compromise

  • [Malicious npm packages] Compromised releases in the @asyncapi namespace – @asyncapi/[email protected], @asyncapi/[email protected], and @asyncapi/[email protected], plus @asyncapi/[email protected] and @asyncapi/[email protected]
  • [Infected source files] Poisoned source code locations in the published packages – src/utils.js, lib/utils/ErrorHandling.js, lib/templates/config/validator.js, and index.js
  • [SHA-256 hashes] Package and file hashes for detection – 34014776d3d3ff11bc4439b02fd7ac0f02a887eb3a052eeafff236e2f6db8ad1, 082d733db0687dcd768104972b065d4b58cb1e6043688c6c20fa3702337f36ab, and other 8 items
  • [IPFS URL/CID] Second-stage downloader hosted on IPFS – hxxps://ipfs[.]io/ipfs/QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9, QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9
  • [C2 servers] Primary command-and-control infrastructure – hxxp://85[.]137[.]53[.]71:8080, hxxp://85[.]137[.]53[.]71:8081, and hxxp://85[.]137[.]53[.]71:8091
  • [Network endpoints] Additional tasking and content endpoints – hxxp://85[.]137[.]53[.]71:8080/api/v1/beacon, hxxp://85[.]137[.]53[.]71:8080/api/v1/file-result, and hxxps://ipfs[.]io/api/v0/cat?arg=
  • [Domains and relays] Alternative discovery and transport infrastructure – wss://relay[.]damus[.]io, wss://relay[.]nostr[.]com, router[.]bittorrent[.]com:6881, and dht[.]transmissionbt[.]com:6881
  • [File and persistence paths] Runtime and persistence artifacts – %LOCALAPPDATA%NodeJSsync.js, ~/.config/.miasma/run/node.lock, and ~/.config/systemd/user/miasma-monitor.service
  • [Public keys and contract] Embedded cryptographic and blockchain identifiers – 04166c33b1bcbd7a76bc68d1e4a5b795f334e5bd9c64007b1c30715b1b1044fd6d7490cd5e6e69b9b5988049cf707bc1f58b9ace7255b00ad4425760180a2d8723, 0432fa4ba871877d94081fe83323fa24dfa1491e9de8725cbab7b734de9e9be3b233ef6742fd6264437c9532223d687b05fa540b70af6a516b8539af84d0eeb48e, and 0x12c37A86a0Ed0beBe5d1d6a43E42f07860eAc710


Read more: https://socket.dev/blog/asyncapi-supply-chain-attack