Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware

Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware

Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware

https://thehackernews.com/2026/07/compromised-asyncapi-npm-packages.html

Publish Date: 2026-07-15 05:16:00

Source Domain: thehackernews.com

Four compromised npm packages in the @asyncapi namespace have been observed distributing a multi-stage botnet loader, according to findings from OX Security, SafeDep, Socket, and StepSecurity.

The affected packages are listed below –

“The compromised packages deploy an obfuscated first-stage payload that downloads an encrypted second-stage payload, identified as Miasma, from IPFS,” Socket said.

The poisoned packages ship a hidden JavaScript implant, with each of them containing an injected source file that decodes to the same second-stage downloader. Unlike previous iterations that leveraged install hooks to trigger the execution of a JavaScript payload, the malicious code in this case is run when the infected module is loaded by Node.js, after which it launches a detached background node that downloads and executes the malware from IPFS.

The next-stage payload is an encrypted JavaScript loader named “sync.js,” which is written to operating system-specific paths and executed. The downloader URL is “ipfs[.]io/ipfs/QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9.” The loader contains two components –

  • The encrypted final JavaScript payload, which decodes to the Miasma tasking framework
  • A large encrypted blob used by the runtime’s spawn-chain framework

The framework bundles 744 modules and is built as a command framework that supports six independent command-and-control (C2) communication channels using HTTP, Nostr relay, IPFS, BitTorrent DHT, libp2p GossipSub P2P mesh, and an Ethereum smart contract.

Besides facilitating credential theft, AI tool poisoning, LAN lateral movement, and worm-like propagation on npm, PyPI, and Cargo registries, Miasma features a persistence mechanism of its own, setting up a systemd, crontab, macOS launchd, and Windows Registry autostart keys.

“Although the malware has some…

Source