Four official AsyncAPI npm packages were compromised in a supply chain attack that delivers Miasma — a sophisticated multi-stage botnet loader with six simultaneous command-and-control communication channels, including Ethereum smart contracts and decentralized peer-to-peer protocols. Researchers from OX Security, SafeDep, Socket, and StepSecurity coordinated the disclosure after discovering that the attacker had used the AsyncAPI project’s own GitHub Actions release pipeline with valid OIDC provenance attestations, passing the supply-chain integrity checks npm deploys to verify package authenticity.
Compromised AsyncAPI Packages and the OIDC Provenance Bypass
The four compromised packages — @asyncapi/generator-helpers@1.1.1, @asyncapi/generator-components@0.7.1, @asyncapi/generator@3.3.1, and @asyncapi/specs versions 6.11.2 and 6.11.2-alpha.1 — were removed from npm following the discovery. AsyncAPI is an open specification for defining asynchronous APIs used in messaging and event-driven architectures; the generator packages in particular are used to build documentation, software development kits, and integration code from AsyncAPI specifications, placing them directly in CI/CD pipelines and development workflows.
The attacker gained push access to the AsyncAPI GitHub repositories and executed the malicious release through the project’s legitimate GitHub Actions release pipeline. Because the release used valid OIDC provenance attestations — the mechanism npm uses to verify that a package was built by the project’s own pipeline — the malicious packages passed the supply-chain integrity checks that are supposed to distinguish legitimate releases from attacker-injected packages. The attack demonstrated that provenance attestations alone are insufficient when an attacker controls repository access: the check verifies the pipeline, not the contents of what the pipeline was instructed to build.
How Miasma’s Six C2 Channels Defeat Standard Network Blocking
When an affected package is imported, malicious code executes and downloads an encrypted second-stage payload from IPFS. After decryption, a JavaScript loader called sync.js activates — a 744-module bundle that deploys the Miasma botnet loader. Miasma communicates with its operators through six independent C2 channels: HTTP, Nostr relay, IPFS, BitTorrent DHT, libp2p GossipSub peer-to-peer mesh, and Ethereum smart contracts.
The design significance of six simultaneous C2 channels is that blocking any individual channel does not disrupt attacker communication. Organizations that block outbound HTTP to known malicious domains leave the Ethereum smart contract and DHT channels functional. Those that block DHT traffic retain IPFS and libp2p channels as fallback paths. To fully sever Miasma’s C2 connectivity, a defender would need to block all six communication protocols simultaneously — a challenge in environments where some of those protocols (BitTorrent DHT, libp2p) have legitimate uses. Ethereum smart contracts as C2 infrastructure are particularly difficult to block because the contracts live on the public blockchain and communication with them is indistinguishable from other Ethereum RPC traffic.
AI Tool Poisoning and Worm-Like Propagation Among Miasma’s Capabilities
Beyond credential theft and standard botnet capabilities, Miasma includes two capabilities that reflect awareness of current developer toolchain targets. AI tool poisoning modifies configuration files of AI coding assistants installed on the compromised system — targeting the growing class of AI-assisted development tools that read local configuration from the filesystem. An attacker who modifies those configurations can influence the code suggestions the AI tool generates for the developer, potentially introducing vulnerabilities or backdoors into downstream code.
Miasma also includes worm-like propagation capabilities designed to spread across package registries, meaning that a compromised developer environment could be used to infect other packages the developer publishes. This represents a second-order supply chain risk: not only are the developer’s own systems compromised, but the developer’s publishing credentials and pipeline access become potential attack vectors for further supply chain contamination.
Evasion Design and Coordinated Disclosure Timeline
Miasma’s evasion logic includes an explicit check for Russian-language system settings and certain security tools. Systems matching those conditions do not receive the malicious payload — a pattern consistent with financially motivated operators who avoid targeting systems in Russian-speaking jurisdictions to reduce law enforcement exposure in those regions.
The coordinated disclosure involved four security research teams — OX Security, SafeDep, Socket, and StepSecurity — working in parallel to identify, document, and remove the compromised packages before the public announcement. Following discovery, all affected packages were unpublished from npm. Organizations with CI/CD pipelines that installed any of the four compromised package versions during the window should treat their build environments as potentially compromised and audit for Miasma’s indicators, including unexpected IPFS connections, JavaScript loader activity at module import time, and modifications to AI coding tool configuration files.
