<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>@Asyncapi/Generator-Helpers@1.1.1 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/@asyncapi/generator-helpers@1.1.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 01:50:36 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/@asyncapi/generator-helpers@1.1.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>AsyncAPI npm Supply Chain Compromise via GitHub Actions</title><link>https://feed.craftedsignal.io/briefs/2026-07-asyncapi-npm-compromise/</link><pubDate>Thu, 16 Jul 2026 01:50:36 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-asyncapi-npm-compromise/</guid><description>Threat actors compromised AsyncAPI npm packages by exploiting a misconfigured GitHub Actions workflow, stealing a privileged bot token, and injecting obfuscated Miasma malware into multiple packages, which then executed at module-load time to establish persistence and command and control, bypassing standard npm installation mitigations.</description><content:encoded><![CDATA[<p>Microsoft Threat Intelligence identified a coordinated supply chain compromise affecting the <code>@asyncapi</code> npm organization on July 14, 2026. Threat actors exploited a misconfigured GitHub Actions workflow to steal a privileged <code>asyncapi-bot</code> Personal Access Token (PAT), enabling them to inject heavily obfuscated malware loaders into five package versions across four AsyncAPI npm packages. These poisoned packages were then published via the project's legitimate CI/CD pipeline, including <code>@asyncapi/specs</code> (6.11.2-alpha.1, 6.11.2), <code>@asyncapi/generator@3.3.1</code>, <code>@asyncapi/generator-components@0.7.1</code>, and <code>@asyncapi/generator-helpers@1.1.1</code>. The malicious code, identified as <code>Miasma</code> (detected as <code>Trojan:JS/MiasmStealer.SC</code> and <code>Trojan:Script/Supychain.A</code>), executes at module-load (import/require) time, effectively bypassing the <code>npm install --ignore-scripts</code> mitigation. This campaign impacts developer workstations, CI/CD pipelines, container builds, and production services that import the affected versions, establishing persistence and command and control, with capabilities for credential harvesting and propagation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker exploits a vulnerable GitHub Actions workflow (<code>pull_request_target</code>) in the <code>asyncapi/generator</code> repository by submitting a malicious pull request (e.g., PR #2155).</li>
<li>The misconfigured workflow executes attacker-controlled code, leading to the theft of a privileged <code>asyncapi-bot</code> Personal Access Token (PAT).</li>
<li>The attacker uses the stolen PAT to push commits containing heavily obfuscated JavaScript loaders into AsyncAPI package source files (e.g., <code>index.js</code>).</li>
<li>The project's legitimate CI/CD pipelines, authenticated via GitHub Actions OpenID Connect (OIDC) with the compromised identity <code>npm-oidc-no-reply@github.com</code>, publish the poisoned npm packages (e.g., <code>@asyncapi/specs@6.11.2</code>).</li>
<li>Downstream consumers download and import the compromised AsyncAPI packages; the malicious code executes at <code>require()</code> or <code>import</code> time, spawning a hidden, detached child process.</li>
<li>The child process downloads the <code>sync.js</code> second-stage payload (Miasma modular runtime) from an IPFS endpoint.</li>
<li>The <code>sync.js</code> payload is written to an OS-specific &quot;NodeJS&quot; masquerade directory, establishing persistence and initiating active command and control (C2) communication with <code>85.137.53.71</code> on ports <code>8080</code>, <code>8081</code>, and <code>8091</code>.</li>
<li>The Miasma runtime establishes resilient C2 communication channels and has capabilities for credential harvesting, encrypted exfiltration, and supply-chain propagation, though some modules were disabled in this observed build.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The compromise of AsyncAPI npm packages directly impacts developer workstations, CI/CD pipelines, container builds, and production services that resolved and imported the affected versions. The <code>Miasma</code> modular runtime establishes persistent access and active command and control, posing a significant risk for further exploitation, including potential credential harvesting, data exfiltration, and lateral movement within compromised environments. Microsoft Defender Antivirus detects the malicious artifacts as <code>Trojan:JS/MiasmStealer.SC</code> and <code>Trojan:Script/Supychain.A</code>. If successful, this supply chain attack could lead to widespread code integrity issues, intellectual property theft, and unauthorized access to development infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately remove all five affected package versions: <code>@asyncapi/specs@6.11.2-alpha.1</code>, <code>@asyncapi/specs@6.11.2</code>, <code>@asyncapi/generator@3.3.1</code>, <code>@asyncapi/generator-components@0.7.1</code>, and <code>@asyncapi/generator-helpers@1.1.1</code>.</li>
<li>Purge npm and Yarn caches on all affected systems to ensure no cached malicious packages are re-installed.</li>
<li>Hunt for the <code>sync.js</code> file under &quot;NodeJS&quot; masquerade directories across developer workstations and CI/CD environments using <code>Detect Miasma sync.js Payload Drop</code> Sigma rule.</li>
<li>Block outbound connections to <code>85.137.53.71</code> on ports <code>8080</code>, <code>8081</code>, and <code>8091</code> at your network perimeter using <code>Detect Miasma C2 Network Connection</code> Sigma rule.</li>
<li>Rotate all credentials (including GitHub Personal Access Tokens and npm authentication tokens) that were accessible from any environment or service that imported the compromised packages.</li>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect <code>Miasma</code> activity.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>supply-chain</category><category>npm</category><category>github-actions</category><category>malware</category><category>javascript</category><category>nodejs</category><category>ci-cd</category></item></channel></rss>