Date: 07/16/2026
Severity: High
Summary
Threat actors compromised multiple AsyncAPI npm packages by injecting a malicious import-time loader that executed automatically when affected packages were imported, bypassing mitigations such as npm install --ignore-scripts. The loader deployed the Miasma modular malware, enabling command-and-control, persistence, decentralized fallback channels, and the potential for credential harvesting and propagation. The compromise impacted developer workstations, CI/CD pipelines, container builds, and production environments that imported the affected package versions.
Indicators of Compromise (IOC) List
Domains/URLs | https://ipfs.io/ipfs/Qmet4fhsAaWMBUxNDfREHwgiyDeSWy4YSYs9wiKUW5jGyf |
IP Address | 85.137.53.71 |
Hash | d425e4583cc6185d41e95c45eda00550045a5d1919b9a012236a4520d009dbd7
9b2e65db653ca8575c9b10eefb9a80c6006404812c2ec212bf5675e3c690233b
bfaeb987faa6de2b5a5eb63b1233d055215b09b0349a9394f2175fd7cdf385e4
082d733db0687dcd768104972b065d4b58cb1e6043688c6c20fa3702337f36ab
34014776d3d3ff11bc4439b02fd7ac0f02a887eb3a052eeafff236e2f6db8ad1
b9993a8ad0518849416798cf29668256ccb96598fc4423501ccab5312812653a
b270bdf8e2274ea1af0a6eed74d8f10e5fe61012d6cc226a43cc7cc7fd9f6292
8351d251cf0b5a0bd82242deaa0a14e3e1394418d55c0f4259dac4303b79fc0c
6e78713b75bd34828d49896176627f7face7aa9036cd874f2e02d9f23a9a9c71
24b9ee242f21a73b55f7bb3297eafb33c60840907386b542ed79fc6b72365168
|
IPFS CID | Qmet4fhsAaWMBUxNDfREHwgiyDeSWy4YSYs9wiKUW5jGyf |
URL Path | /api/v1/beacon /api/v1/file-result /api/v1/file-content/<cid> |
Filepath | %LOCALAPPDATA%\NodeJS\sync.js
~/.local/share/NodeJS/sync.js
~/Library/Application Support/NodeJS/sync.js
~/.config/NodeJS/sync.js
~/.config/.miasma/run/node.lock |
mDNS service | _miasma._tcp |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://ipfs.io/ipfs/Qmet4fhsAaWMBUxNDfREHwgiyDeSWy4YSYs9wiKUW5jGyf" or url like "https://ipfs.io/ipfs/Qmet4fhsAaWMBUxNDfREHwgiyDeSWy4YSYs9wiKUW5jGyf" or siteurl like "https://ipfs.io/ipfs/Qmet4fhsAaWMBUxNDfREHwgiyDeSWy4YSYs9wiKUW5jGyf" |
Detection Query 2 : | dstipaddress IN ("85.137.53.71") or srcipaddress IN ("85.137.53.71") |
Detection Query 3 : | sha256hash IN ("24b9ee242f21a73b55f7bb3297eafb33c60840907386b542ed79fc6b72365168","b9993a8ad0518849416798cf29668256ccb96598fc4423501ccab5312812653a","bfaeb987faa6de2b5a5eb63b1233d055215b09b0349a9394f2175fd7cdf385e4","d425e4583cc6185d41e95c45eda00550045a5d1919b9a012236a4520d009dbd7","9b2e65db653ca8575c9b10eefb9a80c6006404812c2ec212bf5675e3c690233b","082d733db0687dcd768104972b065d4b58cb1e6043688c6c20fa3702337f36ab","34014776d3d3ff11bc4439b02fd7ac0f02a887eb3a052eeafff236e2f6db8ad1","b270bdf8e2274ea1af0a6eed74d8f10e5fe61012d6cc226a43cc7cc7fd9f6292","8351d251cf0b5a0bd82242deaa0a14e3e1394418d55c0f4259dac4303b79fc0c","6e78713b75bd34828d49896176627f7face7aa9036cd874f2e02d9f23a9a9c71")
|
Detection Query 4 : | url like "/api/v1/beacon" or url like "/api/v1/file-result" or url like "/api/v1/file-content/%" |
Detection Query 5 : | datasourcename like "Windows security" AND eventtype like "4663" AND objectname like "%LOCALAPPDATA%\NodeJS\sync.js" |
Detection Query 6 : | technologygroup = "EDR" AND objectname like "%LOCALAPPDATA%\NodeJS\sync.js" |
Detection Query 7 : | datasourcename = "Linux" AND (filepath like "/.local/share/NodeJS/sync.js" OR filepath like "/.config/NodeJS/sync.js" OR filepath like "/.config/.miasma/run/node.lock") |
Detection Query 8 : | technologygroup = "EDR" AND (filepath like "~/.local/share/NodeJS/sync.js" OR filepath like "/.config/NodeJS/sync.js" OR filepath like "/.config/.miasma/run/node.lock" OR filepath like "~/Library/Application Support/NodeJS/sync.js") |
Reference:
https://www.microsoft.com/en-us/security/blog/2026/07/15/unpacking-asyncapi-npm-supply-chain-compromise-import-time-payload-delivery/