Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    ​ ​AsyncAPI npm packages infected with credential-stealing malware

    July 15, 2026

    We built a vulnerability vending machine: AI tokens in, zero-days out

    July 15, 2026

    Infosec News Nuggets — July 15, 2026 – AboutDFIR

    July 15, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»​ ​AsyncAPI npm packages infected with credential-stealing malware
    News

    ​ ​AsyncAPI npm packages infected with credential-stealing malware

    adminBy adminJuly 15, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    AsyncAPI npm packages infected with credential-stealing malware

    Five malicious versions of AsyncAPI packages were published to the Node Package Manager (npm) in a supply-chain attack that delivered a remote access trojan with info-stealing capabilities.

    The threat actor exploited a misconfigured GitHub Actions workflow and pushed trojanized packages in the @asyncapi namespace that had a cummulative weekly download count of more than 2.25 million.

    Multiple security companies confirmed that on July 14, an attacker compromised two AsyncAPI GitHub repositories and injected malware into project files.

    image

    “Both attacks are CI/CD pipeline compromises, not stolen npm tokens or malicious maintainers,” reads a report from Step Security.

    The researchers explain that “the attacker pushed commits under a placeholder git identity and let each repository’s real release workflow do the publishing via npm’s GitHub OIDC trusted-publisher integration.”

    In doing so, the attacker ensured that the resulting packages had the legitimate SLSA provenance attestations, indicating that they originated from an authorized workflow.

    The malicious AsyncAPI packages pushed to npm are:

    Application security company Socket notes that the first-stage implant in the published packages is an obfuscated JavaScript statement that ultimately triggers a downloader when the infected file is imported.

    A second-stage script, which contains configuration details and the main runtime, is retrieved from the IPFS peer-to-peer content delivery network and launched as a hidden process.

    Cloud and application security company Wiz says that the third-stage payload “is a 92,000-line malware framework with modular architecture,” which establishes persistence on the system and communicates with the command-and-control (C2) server over several channels: HTTP, Nostr relays, Ethereum smart contracts, and a libp2p mesh network.

    Attack flow diagram
    Attack flow diagram
    Source: Step Security

    Although the final payload uses artifact names and configuration files pointing to the Miasma backdoor seen in past supply-chain attacks [1, 2], SafeDep researchers believe that the malware is “either a private, parallel build by the same operators or a separate group that adopted the Miasma brand after the source was published.”

    Its purpose appears to be stealing secrets, which include credentials, authentication keys, tokens, browser data, sensitive info from CI/CD systems and AI developer tools, cryptocurrency wallets, and databases.

    Additionally, the malware code allows it to download the Gitleaks and HackBrowserData tools to help with collecting sensitive info.

    However, a report from cybersecurity company Aikido notes that all these functions do not work and the data harvesting tool exits before collecting anything. Nevertheless, the researchers say that all this can be achieved manually using the shell.

    Ox Security also noted that the malware performs a local check for Russia, and if there’s a match, it terminates its process.

    As of writing, all five versions of the four malicious packages have been removed from npm, but developers should note that existing installations and lock files created during the exposure window may still contain the malicious releases.

    The exposure window extends to approximately four hours and seven minutes, between 07:10 and 11:18 UTC on July 14.

    The recommended action is to pin to known-good files, regenerate lock files, remove the hidden ‘NodeJS/sync.js’ payload, terminate all malicious processes, and rotate credentials on the impacted systems.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleWe built a vulnerability vending machine: AI tokens in, zero-days out
    admin
    • Website

    Related Posts

    News

    We built a vulnerability vending machine: AI tokens in, zero-days out

    July 15, 2026
    News

    Infosec News Nuggets — July 15, 2026 – AboutDFIR

    July 15, 2026
    News

    Helping small businesses with free, hands-on cyber consultancy

    July 15, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Our Picks

    ​ ​AsyncAPI npm packages infected with credential-stealing malware

    July 15, 2026

    We built a vulnerability vending machine: AI tokens in, zero-days out

    July 15, 2026

    Infosec News Nuggets — July 15, 2026 – AboutDFIR

    July 15, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.