# Compromised AsyncAPI npm Packages Unleash Complex Botnet Malware

*Published July 17, 2026*
*Source: [https://thehackernews.com/2026/07/compromised-asyncapi-npm-packages.html](https://thehackernews.com/2026/07/compromised-asyncapi-npm-packages.html)*

## Executive Summary

Four npm packages within the @asyncapi namespace were compromised to distribute a sophisticated botnet malware called Miasma. The breach exploited a GitHub Actions vulnerability, leading to potential credential theft and network infiltration.

## Article

A recent security incident involving the popular @asyncapi namespace on npm has revealed that four packages were compromised to distribute a sophisticated multi-stage botnet loader. Security firms including OX Security, SafeDep, Socket, and StepSecurity have reported that these packages deliver an obfuscated payload that downloads an encrypted malware component, known as Miasma, from the InterPlanetary File System (IPFS). Once executed, this malware facilitates credential theft, lateral movement within networks, and even AI tool poisoning.

The attack exploits a vulnerability in the GitHub Actions workflow, allowing an attacker to push malicious commits using a placeholder identity. The compromised packages are capable of launching a detached background process in Node.js, which then downloads and executes further malware stages. This sophisticated malware leverages a range of command-and-control communication channels, including HTTP, IPFS, and Ethereum smart contracts, making it exceptionally versatile.

While the malware shares similarities with previous campaigns like Shai-Hulud, it is not directly linked to any known threat actor. Microsoft has identified this activity under the names MiasmStealer and Supychain. All malicious package versions have been removed from the npm registry, but endpoints that imported these packages may still be compromised. Organizations are advised to scrutinize their systems for any signs of infection.

The attack highlights a significant vulnerability in CI/CD pipelines, where provenance attestations can be misleading. This incident underscores the importance of securing development environments and ensuring that workflows are not misconfigured to expose secrets to unauthorized code execution.
