# Miasma v3 Exploits npm Packages to Breach Developer Systems

*Published July 15, 2026*
*Source: [https://cybersecuritynews.com/miasma-turns-trusted-npm-packages-into-persistent-backdoors/](https://cybersecuritynews.com/miasma-turns-trusted-npm-packages-into-persistent-backdoors/)*

## Executive Summary

Miasma v3 has exploited legitimate npm packages to create persistent backdoors on developer systems. This sophisticated attack uses trusted workflows to deliver the payload, making it difficult to detect and emphasizing the need for robust security practices.

## Article

The Miasma malware has resurfaced, exploiting trusted npm packages to establish persistent backdoors on developer machines. This latest campaign involves four trojanized AsyncAPI packages on npm, which have been modified to deliver the Miasma v3 payload. Unlike typical malware, this attack does not activate immediately upon package installation. Instead, it deploys when an affected module is loaded by an application, generator, or build process, making it difficult to detect initially.

Researchers at JFrog uncovered this activity by tracing the changes in package releases and decoding the payload. The attackers used AsyncAPI’s legitimate GitHub Actions release workflow and npm’s trusted-publisher integration for distribution, ensuring the packages appeared authentic. Despite carrying valid provenance attestations, the attack relied on unauthorized direct commits to the release-triggering branch, bypassing traditional code reviews.

The compromised packages conceal malicious code within regular source files, avoiding detection by reviewers. When Node.js loads the altered module, it initiates a child process that continues running in the background without disrupting the normal application or CI task. This process retrieves a second-stage file from an IPFS gateway and executes it, establishing a persistent backdoor.

Miasma v3 is known for enabling encrypted communications, remote shell execution, and payload replacement. It targets user-level persistence across Linux, Windows, and macOS, although some methods may fail. Organizations with potentially affected systems should treat them as compromised if they have loaded the impacted code. Immediate action is crucial to identify and isolate affected systems, preserve evidence, and remove malicious artifacts. Review and tighten security measures, including enforcing code reviews and restricting workflow permissions, to safeguard against future attacks.
