Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
AsyncAPI npm Packages Compromise Sparks Botnet Concerns

AsyncAPI npm Packages Compromise Sparks Botnet Concerns

Posted on July 15, 2026 By CWS

Four npm packages under the @asyncapi namespace have been found distributing a sophisticated botnet loader, according to research from OX Security and others. These packages, which were compromised to deliver a multi-stage malware, pose a significant threat to software supply chains.

Identified Compromised Packages

The compromised packages include @asyncapi/[email protected], @asyncapi/[email protected], @asyncapi/[email protected], and @asyncapi/specs versions 6.11.2 and 6.11.2-alpha.1. Each package contains a concealed JavaScript implant designed to activate malicious code upon module loading in Node.js.

Once executed, the implant downloads an obfuscated second-stage payload known as Miasma from IPFS. This payload is specifically designed to operate in the background, launching a detached node process to continue its execution.

Technical Details of the Payload

The second-stage payload involves an encrypted JavaScript loader, ‘sync.js,’ which is executed in system-specific paths. The loader is responsible for decrypting the final JavaScript payload and incorporates a large encrypted blob for its spawn-chain framework.

This framework includes 744 modules, facilitating multiple command-and-control communication channels such as HTTP, IPFS, and Ethereum smart contracts. The malware supports various malicious activities, including credential theft and propagation across npm, PyPI, and Cargo registries.

Investigation and Response

OX Security’s analysis revealed similarities with previous campaigns but confirmed that this malware is distinct from the known Miasma and Shai-Hulud threats. The malware includes mechanisms to evade detection in virtual environments and systems with specific security tools installed.

It’s noted that the attacker managed to gain push access to the repositories, leveraging GitHub Actions to release these packages with legitimate provenance attestations. This highlights a critical vulnerability in CI/CD workflows, where the attack did not require stealing npm tokens but exploited the release pipeline itself.

Following the discovery, all affected package versions have been removed from the npm registry. Developers are advised to consider endpoints that interacted with these packages as potentially compromised, especially if the modules were part of active build or developer workflows.

Security experts emphasize the importance of verifying CI/CD pipelines and maintaining vigilance against such sophisticated supply chain attacks, underscoring the ongoing need for robust security practices in software development.

The Hacker News Tags:AsyncAPI, botnet malware, command-and-control, cyber attack, Cybersecurity, IPFS, JavaScript, Malware, Miasma, Node.js, npm packages, Programming, Software Security, supply chain attack

Post navigation

Previous Post: EU Age Verification App Bypassed Using Chrome Extension
Next Post: Zero-Day Vulnerability Causes ShareFile Service Interruption

Related Posts

Microsoft Identifies Three Salesforce Threat Vectors Microsoft Identifies Three Salesforce Threat Vectors The Hacker News
New StackWarp Hardware Flaw Breaks AMD SEV-SNP Protections on Zen 1–5 CPUs New StackWarp Hardware Flaw Breaks AMD SEV-SNP Protections on Zen 1–5 CPUs The Hacker News
Threat Actor Mimo Targets Magento and Docker to Deploy Crypto Miners and Proxyware Threat Actor Mimo Targets Magento and Docker to Deploy Crypto Miners and Proxyware The Hacker News
Bitfinex Hack Convict Ilya Lichtenstein Released Early Under U.S. First Step Act Bitfinex Hack Convict Ilya Lichtenstein Released Early Under U.S. First Step Act The Hacker News
Credential Theft and Remote Access Surge as AllaKore, PureRAT, and Hijack Loader Proliferate Credential Theft and Remote Access Surge as AllaKore, PureRAT, and Hijack Loader Proliferate The Hacker News
Hidden Vulnerabilities of Project Management Tools & How FluentPro Backup Secures Them Hidden Vulnerabilities of Project Management Tools & How FluentPro Backup Secures Them The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Chinese Hackers Use AI Tools in Sophisticated Cyberattacks
  • White House Unveils AI-Driven Gold Eagle Initiative
  • SonicWall Urges Immediate Fixes for Critical Firewall Flaws
  • Zero-Day Vulnerability Causes ShareFile Service Interruption
  • AsyncAPI npm Packages Compromise Sparks Botnet Concerns

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Chinese Hackers Use AI Tools in Sophisticated Cyberattacks
  • White House Unveils AI-Driven Gold Eagle Initiative
  • SonicWall Urges Immediate Fixes for Critical Firewall Flaws
  • Zero-Day Vulnerability Causes ShareFile Service Interruption
  • AsyncAPI npm Packages Compromise Sparks Botnet Concerns

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark