4 AsyncAPI packages beforehand affected by the Shai-Hulud: The Second Coming marketing campaign have been compromised once more, with new malicious releases delivering a RAT-focused construct of the Miasma worm.
The impacted variations are @asyncapi/generator 3.3.13.3.13.3.1, @asyncapi/generator-components 0.7.10.7.10.7.1, @asyncapi/generator-helpers 1.1.11.1.11.1.1, and @asyncapi/specs 6.11.26.11.26.11.2 and 6.11.2−alpha.16.11.2-alpha.16.11.2−alpha.1.
In contrast to the prior Miasma exercise, the AsyncAPI packages don’t use malicious preinstall, set up, or postinstall lifecycle hooks.
As a substitute, the attackers inserted an roughly 7.77.77.7 KB obfuscated launcher into professional JavaScript supply information. The code executes when CommonJS masses the compromised module, that means set up alone doesn’t show execution.
This design could assist attackers evade protections launched in npm v12 that block package deal scripts by default.
It additionally complicates incident response: a lockfile, native cache, or container picture containing an affected model shouldn’t be essentially compromised, however any developer endpoint, CI runner, documentation workflow, or construct system that imported the poisoned code have to be handled as probably uncovered.
As soon as triggered, the injected launcher spawns a indifferent node -e little one course of, downloads sync.js from an IPFS gateway, and shops it in a believable user-profile NodeJS listing.
The payload is retrieved by the IPFS CID QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9.
JFrog’s evaluation discovered that the downloaded 8.258.258.25 MB wrapper decrypts right into a 3.093.093.09 MB bundled Node.js utility marked as Miasma v3.
The payload makes use of HKDF-SHA256, AES-256-GCM, and a printable-ASCII ROT transformation to hide its code and configuration.
The energetic configuration identifies the operation as miasma-train-p1 and allows persistence, encrypted command-and-control communications, arbitrary shell command execution, and distant payload alternative.

Its major C2 infrastructure is 85[.]137[.]53[.]71 on ports 808080808080, 808180818081, and 809180918091.
JFrog researchers stated the releases comprise Miasma v3, a payload household not too long ago documented in assaults towards @redhat-cloud-services npm packages.
Miasma Worm Returns as RAT
Crucially, automated propagation is disabled. The malware framework consists of modules for credential theft, npm and PyPI poisoning, GitHub repository abuse, AI-tool poisoning, and metamorphic mutation, however JFrog discovered these options set to false within the noticed construct.

The marketing campaign ought to due to this fact be characterised as a RAT-first deployment of the broader Miasma framework, not an actively self-spreading npm worm.
That distinction doesn’t scale back the severity. The enabled ShellExec functionality permits operators to run instructions for as much as 120120120 seconds and seize their output.
A compromised developer workstation or CI setting might expose supply code, npm tokens, GitHub credentials, cloud identities, SSH keys, signing supplies, and deployment secrets and techniques.
Miasma v3 additionally makes an attempt user-level persistence throughout main working programs. It creates a miasma-monitor. service systemd consumer service on Linux, provides a miasma-monitor Run key on Home windows, and modifies macOS shell startup information with a ### Node Auto-Replace Script ### marker.
It shops victim-specific cryptographic id knowledge in masquerading cache paths and should ship the X-Miasma-Spawn-Chain HTTP header, offering defenders with a useful community detection sign.
The malicious releases had been reportedly revealed by AsyncAPI’s professional GitHub Actions launch workflow utilizing npm’s OIDC trusted-publisher mechanism.
Consequently, the packages carried legitimate provenance attestations. The incident demonstrates that provenance confirms which workflow produced a package deal, however can’t set up whether or not the supply commit getting into that workflow was approved.
Organizations ought to determine affected variations throughout lockfiles, caches, CI data, generated artifacts, and container photographs; decide whether or not poisoned modules had been loaded; and isolate programs the place execution occurred or can’t be excluded.
Defenders ought to block the malicious IPFS CID and C2 infrastructure, take away persistence artifacts, rotate credentials accessible to uncovered environments, and rebuild programs the place full forensic scoping shouldn’t be doable.
IOCs
| Package deal | Variations | Xray ID |
|---|---|---|
@asyncapi/generator |
3.3.1 |
XRAY-898490 |
@asyncapi/generator-helpers |
1.1.1 |
XRAY-898443 |
@asyncapi/generator-components |
0.7.1 |
XRAY-898159 |
@asyncapi/specs |
6.11.2, 6.11.2-alpha.1 |
XRAY-898014 |
Observe: IP addresses and domains are deliberately defanged (e.g., [.]) to stop unintentional decision or hyperlinking. Re-fang solely inside managed menace intelligence platforms corresponding to MISP, VirusTotal, or your SIEM.
Cease Accepting SLAs Written for 2019 SOCs – Right here’s the 2026 AI SLA Vendor Guidelines – Obtain Free AI SOC SLA Information









