{"id":289760,"date":"2026-07-15T05:16:00","date_gmt":"2026-07-15T09:16:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/15\/compromised-asyncapi-npm-packages-deliver-multi-stage-botnet-malware\/"},"modified":"2026-07-15T09:10:09","modified_gmt":"2026-07-15T13:10:09","slug":"compromised-asyncapi-npm-packages-deliver-multi-stage-botnet-malware","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/15\/compromised-asyncapi-npm-packages-deliver-multi-stage-botnet-malware\/","title":{"rendered":"Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/compromised-asyncapi-npm-packages.html\">Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/compromised-asyncapi-npm-packages.html\">https:\/\/thehackernews.com\/2026\/07\/compromised-asyncapi-npm-packages.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-15 05:16:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Four compromised npm packages in the @asyncapi namespace have been observed distributing a multi-stage botnet loader, according to findings from OX Security, SafeDep, Socket, and StepSecurity.<\/p>\n<p>The affected packages are listed below &#8211;<\/p>\n<ul>\n<li>@asyncapi\/generator-helpers@1.1.1<\/li>\n<li>@asyncapi\/generator-components@0.7.1<\/li>\n<li>@asyncapi\/generator@3.3.1<\/li>\n<li>@asyncapi\/specs(v6.11.2, v6.11.2-alpha.1)<\/li>\n<\/ul>\n<p>&#8220;The compromised packages deploy an obfuscated first-stage payload that downloads an encrypted second-stage payload, identified as Miasma, from IPFS,&#8221; Socket said.<\/p>\n<p>The poisoned packages ship a hidden JavaScript implant, with each of them containing an injected source file that decodes to the same second-stage downloader. Unlike previous iterations that leveraged install hooks to trigger the execution of a JavaScript payload, the malicious code in this case is run when the infected module is loaded by Node.js, after which it launches a detached background node that downloads and executes the malware from IPFS.<\/p>\n<p>The next-stage payload is an encrypted JavaScript loader named &#8220;sync.js,&#8221; which is written to operating system-specific paths and executed. The downloader URL is &#8220;ipfs[.]io\/ipfs\/QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9.&#8221; The loader contains two components &#8211;<\/p>\n<ul>\n<li>The encrypted final JavaScript payload, which decodes to the Miasma tasking framework<\/li>\n<li>A large encrypted blob used by the runtime&#8217;s spawn-chain framework<\/li>\n<\/ul>\n<p>The framework bundles 744 modules and is built as a command framework that supports six independent command-and-control (C2) communication channels using HTTP, Nostr relay, IPFS, BitTorrent DHT, libp2p GossipSub P2P mesh, and an Ethereum smart contract.<\/p>\n<p><img decoding=\"async\" alt=\"\" border=\"0\" data-original-height=\"898\" data-original-width=\"1053\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiUcL3M6wy0HH0NFCXGNc5GZp4zueYcq7HIwgANEsslfT6x-elbIPlQ8ACaFbW31xI9iWUC5oSgQzotXYA2Xel0KEzhQ_ogstNHL8pWT24XkOaqSnDIc8TwqXpwRzxA-im1JHdjH7WaRBvlAoJEhteGKE0PZYacu8QNdQtpvBgaYdvk5hu6ZtG2WY8NXISp\/s1600\/oxox.jpg\"\/><\/p>\n<p>Besides facilitating credential theft, AI tool poisoning, LAN lateral movement, and worm-like propagation on npm, PyPI, and Cargo registries, Miasma features a persistence mechanism of its own, setting up a systemd, crontab, macOS launchd, and Windows Registry autostart keys.<\/p>\n<p>&#8220;Although the malware has some&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/compromised-asyncapi-npm-packages.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware https:\/\/thehackernews.com\/2026\/07\/compromised-asyncapi-npm-packages.html Publish Date: 2026-07-15 05:16:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":289761,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgXEluWW9TuNGlzu9wVHSDBzAeUuoRS9Om8kX9yzH-HwCjggh-N5ycLyuJ82oY3MP4Uvf9yF_PqwKhcZepDBEH_pOb3td4dPRuuGSWi5XndfpeuqiMipzKIq0Vofc-hOBGj4nWxmXbjMS7RvHkZCUSHloOpsS6m7jpwwFX-2KUkYwrQdt-ClrGXpt2C9TxC\/s1600\/async-npm.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,32],"class_list":["post-289760","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289760"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=289760"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289760\/revisions"}],"predecessor-version":[{"id":289762,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289760\/revisions\/289762"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/289761"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=289760"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=289760"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=289760"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}