Originally published on CyberNetSec.
Executive Summary
The npm ecosystem's threat landscape has fundamentally shifted from isolated nuisance incidents to systematic, high-consequence supply chain attacks. Since the Shai-Hulud worm demonstrated the viability of self-propagating malware on the npm registry in September 2025, threat actors have accelerated their campaigns in both frequency and technical sophistication. A July 15, 2026 report from Unit 42 details this evolution, culminating in a recent attack against the AsyncAPI project. Attackers compromised its CI/CD pipeline by exploiting unprotected GitHub release branches, bypassing code reviews to publish packages trojanized with the Miasma Remote Access Trojan (RAT). This incident underscores a strategic focus by adversaries on compromising automated build and release processes to steal credentials and distribute malware through trusted developer channels.
Threat Overview
The era of simple typosquatting on npm has been supplanted by complex, multi-stage supply chain attacks. The Shai-Hulud worm in 2025 served as a proof-of-concept, and threat actors have since refined its methods.
- April-May 2026 Campaigns: The threat actor TeamPCP launched multiple campaigns, including "Shai-Hulud: The Third Coming" and "Mini Shai-Hulud," introducing credential-free access techniques and achieving record-high malicious package publication rates.
-
June 2026 Red Hat Compromise: An attack compromised at least 32 packages under the
@redhat-cloud-servicesnpm namespace, deploying an early version of the Miasma payload. - July 2026 AsyncAPI Compromise: On July 14, 2026, attackers executed the "miasma-train-p1" campaign, compromising four core AsyncAPI GitHub repositories. Unlike previous attacks that may have relied on compromised user accounts, this incident exploited a process gap in the CI/CD pipeline itself. The attackers pushed malicious code directly to unprotected pre-production release branches, which then triggered automated workflows to build and publish trojanized packages to the public npm registry.
These events illustrate a clear trend: attackers are moving up the software supply chain, targeting the very automation that powers modern development to achieve widespread and trusted distribution of their malware.
Technical Analysis
The AsyncAPI compromise provides a detailed case study of modern npm supply chain attack TTPs.
Attack Chain
- Initial Access & Execution: Attackers gained access to push code directly to unprotected
nextandschemabranches in AsyncAPI's GitHub repositories. A malicious commit (3eab3ec9304aa26081358330491d3cfeb55cc245) was pushed, bypassing mandatory peer review controls that were only enforced on themainbranch. This maps toT1195.001 - Compromise Software Dependencies and Development Tools. - CI/CD Pipeline Abuse: The malicious commit triggered trusted GitHub Actions workflows. The injected code executed within the CI runner's environment.
- Credential Access: The script harvested sensitive environment secrets, including
NPM_TOKENandGITHUB_TOKEN, from the CI runner. This is a form ofT1552.006 - Unsecured Credentials: CI/CD Secrets. - Malicious Package Publication: Using the stolen
NPM_TOKEN, the attackers programmatically published five trojanized packages to the official@asyncapiscope on npm, leveraging the stolen credentials as perT1078 - Valid Accounts.
Payload Analysis: Miasma RAT
The payload is a multi-stage RAT designed for stealth and persistence.
-
Stage 1: Evasion and Execution: When a developer runs
npm installon a compromised package, a backdoored JavaScript file (e.g.,index.js) executes. The code is heavily obfuscated usingobfuscator.io(T1027 - Obfuscated Files or Information). It spawns a detached child process to continue execution while the parentnpmprocess exits cleanly, deceiving the user. -
Stage 2: Ingress Tool Transfer: The obfuscated script fetches the main Miasma RAT payload from the InterPlanetary File System (IPFS) using a hardcoded Content ID (CID) like
Qmet4fhsAaWMBUxNDfREHwgiyDeSWy4YSYs9wiKUW5jGyf. This is an example ofT1105 - Ingress Tool Transfer. -
Persistence: The RAT establishes persistence based on the operating system.
-
Linux/macOS: A user-scoped
systemdservice namedmiasma-monitor.serviceis created (T1543.002 - Create or Modify System Process: Systemd Service). -
Windows: A Run key named
miasma-monitoris added to the registry to execute on startup (T1547.001 - Registry Run Keys / Startup Folder).
-
Linux/macOS: A user-scoped
The RAT creates a lockfile at ~/.config/.miasma/run/node.lock to prevent multiple instances and uses OS-specific paths like ~/Library/Application Support/nodejs/ or %APPDATA%\nodejs\ for its cache to blend in with legitimate Node.js activity.
Impact Assessment
The compromise of a trusted open-source project's release pipeline carries significant business and security impact for both the project maintainers and downstream consumers.
- Erosion of Trust: Such attacks undermine trust in the open-source ecosystem and the specific project. Developers may become hesitant to use or contribute to AsyncAPI, fearing their own systems could be compromised.
- Widespread Downstream Compromise: Any developer, build server, or production environment that pulls the trojanized package version becomes infected. The Miasma RAT can then steal credentials, exfiltrate source code, or serve as a pivot point into the victim's network.
- Intellectual Property Theft: The RAT's primary function is credential harvesting, which can lead to the theft of proprietary code, API keys, and other sensitive data from developer workstations and CI/CD systems.
- Remediation Costs: AsyncAPI and its users face significant costs for incident response, forensic analysis, credential rotation, and rebuilding trust. All downstream users must audit their systems to identify and eradicate the compromise.
IOCs — Directly from Articles
The following indicators were explicitly mentioned in the source report.
| Type | Value | Description |
|---|---|---|
| IPFS CID | Qmet4fhsAaWMBUxNDfREHwgiyDeSWy4YSYs9wiKUW5jGyf |
Stage-2 Miasma RAT payload. |
| IPFS CID | QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9 |
Stage-2 Miasma RAT payload. |
| File Path | ~/.config/.miasma/run/node.lock |
Miasma RAT operational lockfile. |
| File Path | ~/.node_cache/ |
Disguised persistence directory (Linux/macOS). |
| File Path | ~/Library/Application Support/nodejs/ |
Disguised persistence directory (macOS). |
| File Path | %APPDATA%\nodejs\ |
Disguised persistence directory (Windows). |
| Service Name | miasma-monitor.service |
Persistence mechanism on Linux/macOS. |
| Registry Key | miasma-monitor |
Persistence mechanism (Run key) on Windows. |
| String | Shai-Hulud: The Third Coming |
String found in related TeamPCP campaigns. |
| Other | 3eab3ec9304aa26081358330491d3cfeb55cc245 |
Malicious commit hash in AsyncAPI repository. |
| Other | 148100 |
Attacker's GitHub user ID. |
Cyber Observables — Hunting Hints
Security teams may want to hunt for the following patterns, which could indicate related activity:
| Type | Value | Context / Where to Look | Description |
|---|---|---|---|
command_line_pattern |
node * --detached |
EDR, Process creation logs (Event ID 4688) | The malware spawns a detached child process to run in the background. |
network_traffic_pattern |
Outbound TCP/443 to *.ipfs.dweb.link or gateway.ipfs.io
|
Firewall logs, Proxy logs, Netflow | The payload fetches its second stage from public IPFS gateways. |
file_path |
~/.config/.miasma/ |
File system monitoring, EDR | The malware creates this directory for its operational files. |
service_name |
miasma-monitor.service |
systemctl command output, Linux audit logs |
The service used for persistence on Linux systems. |
registry_key |
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\miasma-monitor |
Windows Registry, EDR | The Run key used for persistence on Windows systems. |
log_source |
GitHub Audit Logs |
GitHub Enterprise/Organization audit logs | Search for direct commits to protected or release-critical branches by unexpected users. |
url_pattern |
*/api/v0/cat?arg=Qm* |
Web proxy logs | The API call pattern used to retrieve files from an IPFS node. |
Detection & Response
Detecting and responding to this type of supply chain attack requires a multi-layered approach focusing on the development lifecycle and endpoint behavior.
Detection Strategies
- CI/CD Monitoring: Implement strict monitoring on Git repositories. Alert on any direct commits to release, pre-production, or main branches that bypass the standard pull request and peer review process. Use GitHub audit logs to track these events.
- Endpoint Detection (EDR): Deploy EDR solutions on developer workstations and build runners. Create rules to detect suspicious process chains, such as an
npmornodeprocess spawning a detached child process, making outbound network connections to unusual destinations like IPFS gateways, or writing new executable files. - Network Analysis: Monitor for and alert on outbound connections from build servers and developer machines to known IPFS gateways or other decentralized file-sharing networks. This can be achieved through Network Traffic Analysis (D3-NTA).
- Dependency Scanning: While static analysis may be bypassed by obfuscation, tools that analyze package behavior at installation time (Dynamic Analysis (D3-DA)) can identify malicious actions like network callbacks or file system modifications.
Response Actions
- Isolate: Immediately isolate affected developer machines and build servers from the network to prevent lateral movement or further data exfiltration.
- Revoke Credentials: Revoke all
NPM_TOKEN,GITHUB_TOKEN, and other secrets present in the compromised CI/CD environment and on affected developer machines. - Remove Malicious Packages: Work with the npm security team to remove the trojanized package versions from the registry.
- Audit and Remediate: Conduct a full audit of all systems that may have installed the malicious package. Remove the persistence mechanisms (systemd service, Run key) and any related files.
Mitigation
Preventing CI/CD pipeline compromises requires both technical controls and process improvements.
- Harden Git Repositories: Enforce branch protection rules on ALL branches that feed into a release pipeline, not just
main. Require signed commits and mandatory peer reviews for any code changes to these branches. This is a form of Application Configuration Hardening (D3-ACH). - Principle of Least Privilege for Tokens: CI/CD access tokens (
NPM_TOKEN,GITHUB_TOKEN) should be short-lived and scoped with the minimum permissions necessary. For npm, use granular access tokens that can only publish to specific packages. - Dependency Integrity: Use lockfiles (
package-lock.json,yarn.lock) and runnpm ciinstead ofnpm installin automated environments to ensure that only vetted dependency versions are installed. This helps prevent unexpected updates to malicious versions. - Sandboxed Builds: Execute CI/CD jobs in ephemeral, isolated environments (sandboxes or containers) with no access to the broader corporate network. The environment should be destroyed after each run. This aligns with Application Isolation and Sandboxing.
- Vet Dependencies: Use tools to scan for known vulnerabilities in dependencies. For critical dependencies, consider vendoring or mirroring them in a private, trusted registry after a security review.
Top comments (0)