Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Miasma Exploits npm for Persistent Backdoor Access

Miasma Exploits npm for Persistent Backdoor Access

Posted on July 15, 2026 By CWS

The Miasma malware has resurfaced, targeting trusted npm packages to establish prolonged access to developer systems. This attack involves the modification of four AsyncAPI packages on npm, which have been altered to deploy a Miasma v3 payload. Such modifications create a backdoor, providing attackers with continuous remote access to affected machines.

Mechanism of Miasma’s Infiltration

Unlike traditional malware, Miasma’s strategy does not activate upon initial package installation. Instead, it embeds hidden code that engages during the loading of an affected module by an application or build process. This stealthy approach can leave systems vulnerable and unsuspecting until the malicious code is executed.

JFrog researchers uncovered this activity by tracing the modified package releases and analyzing the downloaded payloads. Their findings, shared with Cyber Security News, highlight that valid package origin records offer no protection if an attacker alters the source branch that triggers a release.

Details of the Compromise

The compromised packages were released through AsyncAPI’s GitHub Actions workflow, utilizing npm’s OIDC trusted-publisher integration. Despite carrying valid provenance attestations, the release processes were compromised through unauthorized direct commits to the release-triggering branch.

These packages did not contain typical malicious scripts in the preinstall, install, or postinstall stages. Instead, the attackers hid obfuscated code within the source files, exploiting whitespace to evade detection during code reviews. When executed, the code initiates a detached child process, continuing normal operations while starting a secondary payload in the background.

Implications and Prevention Measures

The second stage payload, identifying as Miasma v3, facilitates persistence and remote communication capabilities. Its configuration allows for shell execution and payload replacement without automatic propagation. Systems that have loaded the affected code should be treated as potentially compromised.

Organizations are advised to scrutinize repositories, lockfiles, build logs, and CI runs for signs of these releases. If evidence of execution is found, isolating the affected systems and preserving relevant data for analysis is critical. All affected releases should be removed, and clean versions installed, with lockfiles regenerated from trusted metadata.

Security measures should include blocking identified network indicators and rotating credentials associated with npm, GitHub, cloud services, and other systems. Rebuilding compromised systems from clean images is advised, with a focus on enforcing review processes and securing release branches to prevent future exploitations.

By taking these steps, organizations can mitigate the risk posed by Miasma and safeguard their development environments from such persistent threats.

Cyber Security News Tags:AsyncAPI, Backdoor, command-and-control, Cybersecurity, developer security, GitHub actions, infosec, IPFS, JFrog, Malware, Miasma, npm packages, persistent access, Software Security, threat intelligence

Post navigation

Previous Post: AsyncAPI npm Packages Compromised, 2M Downloads Affected

Related Posts

0APT Ransomware: Illusion of Data Breaches Exposed 0APT Ransomware: Illusion of Data Breaches Exposed Cyber Security News
Anthropic’s Code Allegedly Identifies Chinese Users Anthropic’s Code Allegedly Identifies Chinese Users Cyber Security News
New CoPhish Attack Exploits Copilot Studio to Exfiltrate OAuth Tokens New CoPhish Attack Exploits Copilot Studio to Exfiltrate OAuth Tokens Cyber Security News
Buterat Backdoor Attacking Enterprises to Establish Persistence and Control Endpoints Buterat Backdoor Attacking Enterprises to Establish Persistence and Control Endpoints Cyber Security News
Active Exploitation of Windows Defender Zero-Day Flaws Active Exploitation of Windows Defender Zero-Day Flaws Cyber Security News
First AI-Powered Malware LAMEHUG Attacking Organizations With Compromised Official Email Account First AI-Powered Malware LAMEHUG Attacking Organizations With Compromised Official Email Account Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Miasma Exploits npm for Persistent Backdoor Access
  • AsyncAPI npm Packages Compromised, 2M Downloads Affected
  • FortiSandbox Vulnerability Exposes VNC Servers
  • Hackers Use Fake OAuth IDs to Target Entra ID Users
  • Microsoft Addresses Record 622 Vulnerabilities, Including Two Critical Zero-Days

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Miasma Exploits npm for Persistent Backdoor Access
  • AsyncAPI npm Packages Compromised, 2M Downloads Affected
  • FortiSandbox Vulnerability Exposes VNC Servers
  • Hackers Use Fake OAuth IDs to Target Entra ID Users
  • Microsoft Addresses Record 622 Vulnerabilities, Including Two Critical Zero-Days

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark