HomeCyber BalkansMiasma Worm Resurfaces as RAT-First npm Attack with Automatic Propagation Disabled

Miasma Worm Resurfaces as RAT-First npm Attack with Automatic Propagation Disabled

Published on

spot_img

Malicious Re-Entry of the Miasma Worm: A New Threat to AsyncAPI Packages

In a troubling development for developers and software security experts, four AsyncAPI packages, previously compromised during the infamous Shai-Hulud: The Second Coming campaign, have been breached again. This latest wave of attacks features new malicious releases employing a Remote Access Trojan (RAT)-focused variant of the notorious Miasma worm.

The specific packages affected by this latest security incident include @asyncapi/generator version 3.3.13.3.13.3.1, @asyncapi/generator-components version 0.7.10.7.10.7.1, @asyncapi/generator-helpers version 1.1.11.1.11.1.1, and @asyncapi/specs versions 6.11.26.11.26.11.2 and 6.11.2-alpha.16.11.2-alpha.16.11.2-alpha.1. These versions are now considered compromised and pose a significant risk to users who have downloaded them.

Notably, this recent activity marks a departure from previous Miasma attacks, as the AsyncAPI packages do not leverage common malicious hooks typically associated with the preinstall, install, or postinstall lifecycle scripts. Instead, the assailants have inserted an approximately 7.77 KB obfuscated launcher directly into legitimate JavaScript source files. This code executes upon loading the compromised module via CommonJS, indicating that merely installing the package does not trigger the malicious behavior.

This design choice potentially aids attackers in evading protections that were introduced with npm version 12, which blocks package scripts by default. Such a tactic complicates the incident response process for organizations. In this case, having a lockfile, local cache, or container image that contains an affected version does not automatically imply a compromise. Developers must treat any endpoint, CI runner, documentation workflow, or build system that utilized the tainted code as potentially exposed.

Once activated, the malicious launcher spawns a detached Node.js child process, which downloads a file known as sync.js from an IPFS gateway and stores it in a typical user-profile Node.js directory. The payload is pulled from the IPFS CID QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9. Analysis by JFrog reveals that this downloaded payload, sized at 8.258 MB, decrypts into a 3.093 MB bundled Node.js application tagged as Miasma v3.

The sophisticated malware employs encryption techniques such as HKDF-SHA256, AES-256-GCM, and a printable-ASCII ROT transformation to obscure its true purpose and functionality. Significantly, the active configuration of this malicious package identifies its operation as miasma-train-p1, while also enabling features such as persistence, encrypted command-and-control communications, arbitrary shell command execution, and the ability to replace payloads remotely. This level of detail suggests a robust and dangerous threat to affected systems.

The primary command-and-control infrastructure for this attack is located at the IP address 85[.]137[.]53[.]71 and operates on unusual ports, complicating detection efforts. JFrog researchers have noted that the releases contain Miasma v3, a variant that has previously been deployed in attacks targeting @redhat-cloud-services npm packages.

Importantly, automatic self-propagation features have been disabled within this malware framework. However, it includes modules for credential theft, npm and PyPI poisoning, GitHub repository abuse, AI-tool poisoning, and metamorphic mutation. JFrog’s investigation concludes that these features are inactive in the current build, characterizing the incident as a RAT-first deployment rather than an actively self-replicating npm worm.

Despite the focus on RAT capabilities, the implications of this breach are serious. The enabled ShellExec feature permits operators to execute commands for durations of up to 120 seconds, with the potential to capture output. This presents a monumental risk: compromised developer workstations or CI environments could expose critical assets, including source code, npm tokens, GitHub credentials, cloud identities, SSH keys, and deployment secrets.

Miasma v3’s design also seeks user-level persistence across various operating systems. For instance, it establishes a miasma-monitor.service systemd user service on Linux, adds a miasma-monitor Run key in the Windows registry, and modifies macOS shell startup files to facilitate persistence. The malware records victim-specific cryptographic identity data in camouflaged cache paths and could send the X-Miasma-Spawn-Chain HTTP header, a potential signal for network defenders.

The malicious releases were published through AsyncAPI’s legitimate GitHub Actions release workflow, utilizing npm’s OIDC trusted-publisher mechanism. This has raised concerns regarding the authenticity and security of development workflows. While provenance can confirm which workflow produced a package, it cannot guarantee that the source commit entering that workflow was authorized.

In light of this ongoing threat, organizations are urged to identify affected package versions across various operational facets, including lockfiles, caches, CI records, generated artifacts, and container images. There is an imperative need to ascertain whether any compromised modules have been loaded and to isolate systems where execution has occurred or cannot be ruled out.

Security teams should take immediate steps to block the malicious IPFS CID and associated command-and-control infrastructure while removing any persistence artifacts. Additionally, rotating credentials that may be compromised and rebuilding systems may be necessary where full forensic investigation is not feasible.

Defenders face a challenging situation, but with vigilant monitoring and appropriate response strategies, it’s possible to mitigate the risks posed by the re-emergence of the Miasma worm in the developer ecosystem.

Source link

Latest articles

New macOS Malware Exploits Valid Developer ID

New Malware Threat Targets macOS Users Through Deceptive Techniques A sophisticated new form of malware...

Cyber Briefing – 2026.07.14 – CyberMaterial

Cybersecurity Briefing Highlights Critical Exploits and Incidents In the landscape of cybersecurity, a range of...

Pentagon Suspends CMMC Phase II Requirements for Defense Contractors

Suspension of CMMC Phase II: A New Direction for Cybersecurity in the Defense Industrial...

Enhancing Cyber-Resilience of AI in the Enterprise

Rapid Growth of Enterprise AI and Security Oversights Enterprise Artificial Intelligence (AI) is experiencing unprecedented...

More like this

New macOS Malware Exploits Valid Developer ID

New Malware Threat Targets macOS Users Through Deceptive Techniques A sophisticated new form of malware...

Cyber Briefing – 2026.07.14 – CyberMaterial

Cybersecurity Briefing Highlights Critical Exploits and Incidents In the landscape of cybersecurity, a range of...

Pentagon Suspends CMMC Phase II Requirements for Defense Contractors

Suspension of CMMC Phase II: A New Direction for Cybersecurity in the Defense Industrial...