Compromised @asyncapi npm packages distributing the Miasma loader
Malware Activity
Summary
Hide ▲
Show ▼
Four compromised @asyncapi npm packages now deliver a multi-stage botnet loader when imported, exposing consumers to Miasma payloads during normal Node.js module load. The hidden implant fetches an encrypted second stage from IPFS and runs it outside the install path. The payload is built for credential theft, persistence, and broader post-compromise control. Any build or developer workflow that loaded one of the affected packages may have executed the malware.
Related Happenings
AsyncAPI repositories and npm publishing workflow hit by network compromise
Incident
H score18
First: 15.07.2026 12:16
Last: 15.07.2026 12:16
Sources 1
How related:
According to StepSecurity, the attacker is said to have gained push access to the repositories and used the project's own legitimate GitHub Actions release pipeline to publish packages with valid OIDC provenance attestations.
About this happening:
The **AsyncAPI** npm publishing pipeline was **compromised**, allowing malicious package versions to be published through the project’s normal release path and putting downstream...
AsyncAPI repositories and npm publishing workflow hit by network compromise
IncidentHow related: According to StepSecurity, the attacker is said to have gained push access to the repositories and used the project's own legitimate GitHub Actions release pipeline to publish packages with valid OIDC provenance attestations.
About this happening: The **AsyncAPI** npm publishing pipeline was **compromised**, allowing malicious package versions to be published through the project’s normal release path and putting downstream...
Jscrambler 8.14.0 malicious preinstall infostealer release
Malware Activity
H score9
First: 11.07.2026 20:59
Last: 11.07.2026 20:59
Sources 1
About this happening:
The **jscrambler 8.14.0** npm release now ships a **malicious preinstall hook** that runs a **Rust infostealer** during install, putting **developer and CI secrets** at risk on **...
Jscrambler 8.14.0 malicious preinstall infostealer release
Malware ActivityAbout this happening: The **jscrambler 8.14.0** npm release now ships a **malicious preinstall hook** that runs a **Rust infostealer** during install, putting **developer and CI secrets** at risk on **...
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware Activity
H score22
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
About this happening:
The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware ActivityAbout this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
Booking.com partner accommodation phishing campaign targeting Japan
Campaign
H score32
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
About this happening:
A **phishing campaign** is targeting **Booking.com partner accommodations in Japan** with guest-complaint and review-request lures that deliver **malicious files** for **TONResolv...
Booking.com partner accommodation phishing campaign targeting Japan
CampaignAbout this happening: A **phishing campaign** is targeting **Booking.com partner accommodations in Japan** with guest-complaint and review-request lures that deliver **malicious files** for **TONResolv...
Timeline
-
15.07.2026 12:16 1 articles · 2h ago
Compromised @asyncapi npm packages deliver a Miasma botnet loader
Initial DisclosureFour compromised npm packages in the @asyncapi namespace were observed distributing a multi-stage botnet loader that fetches an encrypted second stage, Miasma, from IPFS and runs it as a hidden Node.js implant. The poisoned packages include @asyncapi/[email protected], @asyncapi/[email protected], @asyncapi/[email protected], and @asyncapi/specs v6.11.2 and v6.11.2-alpha.1. The malicious code runs when the infected module is loaded by Node.js, writes an encrypted loader named sync.js to OS-specific paths, and executes it outside the install path. StepSecurity said the attacker gained push access to the repositories and used the project's legitimate GitHub Actions release pipeline with valid OIDC provenance attestations, while the malicious versions were later unpublished from the npm registry.
Show sources
- Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware — thehackernews.com — 15.07.2026 12:16