Find notable cyber news and cases, enriched with sources, timelines, and signals.

Compromised @asyncapi npm packages distributing the Miasma loader

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

Four compromised @asyncapi npm packages now deliver a multi-stage botnet loader when imported, exposing consumers to Miasma payloads during normal Node.js module load. The hidden implant fetches an encrypted second stage from IPFS and runs it outside the install path. The payload is built for credential theft, persistence, and broader post-compromise control. Any build or developer workflow that loaded one of the affected packages may have executed the malware.

Related Happenings

AsyncAPI repositories and npm publishing workflow hit by network compromise

Incident
H score18 First: 15.07.2026 12:16 Last: 15.07.2026 12:16 Sources 1

How related: According to StepSecurity, the attacker is said to have gained push access to the repositories and used the project's own legitimate GitHub Actions release pipeline to publish packages with valid OIDC provenance attestations.

About this happening: The **AsyncAPI** npm publishing pipeline was **compromised**, allowing malicious package versions to be published through the project’s normal release path and putting downstream...

Jscrambler 8.14.0 malicious preinstall infostealer release

Malware Activity
H score9 First: 11.07.2026 20:59 Last: 11.07.2026 20:59 Sources 1

About this happening: The **jscrambler 8.14.0** npm release now ships a **malicious preinstall hook** that runs a **Rust infostealer** during install, putting **developer and CI secrets** at risk on **...

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

TONResolver RAT delivered via ZIP, LNK, and PowerShell

Malware Activity
H score22 First: 30.06.2026 13:30 Last: 30.06.2026 13:30 Sources 1

About this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...

Booking.com partner accommodation phishing campaign targeting Japan

Campaign
H score32 First: 30.06.2026 13:30 Last: 30.06.2026 13:30 Sources 1

About this happening: A **phishing campaign** is targeting **Booking.com partner accommodations in Japan** with guest-complaint and review-request lures that deliver **malicious files** for **TONResolv...

Timeline

  1. 15.07.2026 12:16 1 articles · 2h ago

    Compromised @asyncapi npm packages deliver a Miasma botnet loader

    Initial Disclosure

    Four compromised npm packages in the @asyncapi namespace were observed distributing a multi-stage botnet loader that fetches an encrypted second stage, Miasma, from IPFS and runs it as a hidden Node.js implant. The poisoned packages include @asyncapi/[email protected], @asyncapi/[email protected], @asyncapi/[email protected], and @asyncapi/specs v6.11.2 and v6.11.2-alpha.1. The malicious code runs when the infected module is loaded by Node.js, writes an encrypted loader named sync.js to OS-specific paths, and executes it outside the install path. StepSecurity said the attacker gained push access to the repositories and used the project's legitimate GitHub Actions release pipeline with valid OIDC provenance attestations, while the malicious versions were later unpublished from the npm registry.

    Show sources