Four npm packages in the @asyncapi namespace were compromised to deliver a multi-stage botnet loader, according to coordinated disclosures from OX Security, Socket, SafeDep, and StepSecurity. The affected packages collectively see approximately 2 million weekly downloads.

The compromised packages are @asyncapi/[email protected], @asyncapi/[email protected], @asyncapi/[email protected], and @asyncapi/specs (versions 6.11.2 and 6.11.2-alpha.1). All malicious versions have been unpublished from the npm registry.

How the Pipeline Was Hijacked

The attacker gained push access to the AsyncAPI repositories and used the projects’ own legitimate GitHub Actions release workflows to publish the backdoored packages, according to StepSecurity. The attacker bypassed npm token theft entirely, pushing commits under a placeholder git identity and relying on each repository’s own release workflow to publish via npm’s GitHub OIDC trusted-publisher integration.

The result: the poisoned packages shipped with valid SLSA provenance attestations. Those attestations proved only that the project’s authorized workflow produced them, not that the triggering commits were legitimate. “Provenance does not protect against a compromised push credential,” security researcher Rohan Prabhu told The Hacker News.

The Miasma Payload

Each compromised package contained an injected JavaScript file that activates when the infected module is loaded by Node.js. Rather than using install hooks (a pattern security scanners typically flag), the implant launches a detached background process that downloads an encrypted second-stage payload from IPFS, according to Socket’s analysis.

The final payload is the Miasma tasking framework: a 744-module command framework that supports six independent command-and-control communication channels. These span HTTP, Nostr relay, IPFS, BitTorrent DHT, libp2p GossipSub P2P mesh, and an Ethereum smart contract, per The Hacker News. The redundancy across decentralized protocols makes takedown significantly harder than single-endpoint C2 infrastructure.

Miasma’s capabilities include credential theft, AI tool poisoning, LAN lateral movement, and worm-like propagation across npm, PyPI, and Cargo registries. It sets up persistence through systemd, crontab, macOS launchd, and Windows Registry autostart keys, according to The Hacker News. A dead man’s switch monitors a stolen token and triggers a directory wipe if the token is revoked.

The malware avoids systems identified as sandboxes or virtual environments, those with the current language set to Russian, and those running security tools from CrowdStrike, SentinelOne, Microsoft Defender, CarbonBlack, Cylance, Osquery, Tanium, or Qualys.

Not the Same Miasma

Despite sharing the Miasma name and containing the string multiple times in its code, this payload is not the same malware as the Miasma/Shai-Hulud/TeamPCP campaigns documented in previous supply chain attacks, according to OX Security researcher Moshe Siman Tov Bustan, as reported by The Hacker News. OX Security classified the attack as a “highly sophisticated, multi-stage supply chain attack” functioning as a hybrid info-stealer, crypto-stealer, and remote access tool.

The Provenance Trust Gap

The core lesson for teams building agent infrastructure: SLSA provenance attestations verify that a package was built by an authorized workflow, not that the source code triggering that workflow is trustworthy. Any system that pins trust to CI/CD pipeline provenance without also validating the commit author and code diff remains vulnerable to this class of attack.

Any endpoint that imported or executed one of the affected package versions should be treated as potentially compromised. Exposure depends on whether the malicious code path was actually triggered during the dependency’s runtime execution.