Unpacking the AsyncAPI npm Supply Chain Compromise and Import-Time Payload Delivery

    Date: 07/16/2026

    Severity: High

    Summary

    Threat actors compromised multiple AsyncAPI npm packages by injecting a malicious import-time loader that executed automatically when affected packages were imported, bypassing mitigations such as npm install --ignore-scripts. The loader deployed the Miasma modular malware, enabling command-and-control, persistence, decentralized fallback channels, and the potential for credential harvesting and propagation. The compromise impacted developer workstations, CI/CD pipelines, container builds, and production environments that imported the affected package versions. 

    Indicators of Compromise (IOC) List

    Domains/URLs

    https://ipfs.io/ipfs/Qmet4fhsAaWMBUxNDfREHwgiyDeSWy4YSYs9wiKUW5jGyf

    IP Address

    85.137.53.71

    Hash

    d425e4583cc6185d41e95c45eda00550045a5d1919b9a012236a4520d009dbd7

    9b2e65db653ca8575c9b10eefb9a80c6006404812c2ec212bf5675e3c690233b

    bfaeb987faa6de2b5a5eb63b1233d055215b09b0349a9394f2175fd7cdf385e4

    082d733db0687dcd768104972b065d4b58cb1e6043688c6c20fa3702337f36ab

    34014776d3d3ff11bc4439b02fd7ac0f02a887eb3a052eeafff236e2f6db8ad1

    b9993a8ad0518849416798cf29668256ccb96598fc4423501ccab5312812653a

    b270bdf8e2274ea1af0a6eed74d8f10e5fe61012d6cc226a43cc7cc7fd9f6292

    8351d251cf0b5a0bd82242deaa0a14e3e1394418d55c0f4259dac4303b79fc0c

    6e78713b75bd34828d49896176627f7face7aa9036cd874f2e02d9f23a9a9c71

    24b9ee242f21a73b55f7bb3297eafb33c60840907386b542ed79fc6b72365168

    IPFS CID

    Qmet4fhsAaWMBUxNDfREHwgiyDeSWy4YSYs9wiKUW5jGyf

    URL Path

    /api/v1/beacon 

    /api/v1/file-result 

    /api/v1/file-content/<cid> 

    Filepath

    %LOCALAPPDATA%\NodeJS\sync.js
    ~/.local/share/NodeJS/sync.js
    ~/Library/Application Support/NodeJS/sync.js
    ~/.config/NodeJS/sync.js
    ~/.config/.miasma/run/node.lock 

    mDNS service 

    _miasma._tcp 

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1 :

    domainname like "https://ipfs.io/ipfs/Qmet4fhsAaWMBUxNDfREHwgiyDeSWy4YSYs9wiKUW5jGyf" or url like "https://ipfs.io/ipfs/Qmet4fhsAaWMBUxNDfREHwgiyDeSWy4YSYs9wiKUW5jGyf" or siteurl like "https://ipfs.io/ipfs/Qmet4fhsAaWMBUxNDfREHwgiyDeSWy4YSYs9wiKUW5jGyf"

    Detection Query 2 :

    dstipaddress IN ("85.137.53.71") or srcipaddress IN ("85.137.53.71")

    Detection Query 3 :

    sha256hash IN ("24b9ee242f21a73b55f7bb3297eafb33c60840907386b542ed79fc6b72365168","b9993a8ad0518849416798cf29668256ccb96598fc4423501ccab5312812653a","bfaeb987faa6de2b5a5eb63b1233d055215b09b0349a9394f2175fd7cdf385e4","d425e4583cc6185d41e95c45eda00550045a5d1919b9a012236a4520d009dbd7","9b2e65db653ca8575c9b10eefb9a80c6006404812c2ec212bf5675e3c690233b","082d733db0687dcd768104972b065d4b58cb1e6043688c6c20fa3702337f36ab","34014776d3d3ff11bc4439b02fd7ac0f02a887eb3a052eeafff236e2f6db8ad1","b270bdf8e2274ea1af0a6eed74d8f10e5fe61012d6cc226a43cc7cc7fd9f6292","8351d251cf0b5a0bd82242deaa0a14e3e1394418d55c0f4259dac4303b79fc0c","6e78713b75bd34828d49896176627f7face7aa9036cd874f2e02d9f23a9a9c71")

    Detection Query 4 :

    url like "/api/v1/beacon" or url like "/api/v1/file-result" or url like "/api/v1/file-content/%"

    Detection Query 5 :

    datasourcename like "Windows security" AND eventtype like "4663" AND objectname like "%LOCALAPPDATA%\NodeJS\sync.js"

    Detection Query 6 :

    technologygroup = "EDR" AND objectname like "%LOCALAPPDATA%\NodeJS\sync.js"

    Detection Query 7 :

    datasourcename = "Linux" AND (filepath like "/.local/share/NodeJS/sync.js" OR filepath like "/.config/NodeJS/sync.js" OR filepath like "/.config/.miasma/run/node.lock")

    Detection Query 8 :

    technologygroup = "EDR" AND (filepath like "~/.local/share/NodeJS/sync.js" OR filepath like "/.config/NodeJS/sync.js" OR filepath like "/.config/.miasma/run/node.lock" OR filepath like "~/Library/Application Support/NodeJS/sync.js")

    Reference:    

    https://www.microsoft.com/en-us/security/blog/2026/07/15/unpacking-asyncapi-npm-supply-chain-compromise-import-time-payload-delivery/                   


    Tags

    MalwareNode Package Manager (NPM)Credential HarvestingSupply chain attack

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags