Supply Chain Compromise via GitHub Actions
Essential information
- Published
- 14/07/2026 18:36
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- asyncapi credential theft github actions ipfs m-red-team miasma nostr relay npm supply chain attack pwn request
- Related entities
- 21 techniques (mitre), 2 malware
Description
On July 14, 2026, an attacker exploited a misconfigured GitHub Actions workflow in the AsyncAPI generator repository through a 'pwn request' vulnerability. The attacker opened 37 pull requests, with one containing obfuscated JavaScript that exfiltrated a highly privileged Personal Access Token belonging to asyncapi-bot. Using the stolen credentials, the attacker published five malicious npm package versions under the @asyncapi namespace, which collectively receive over three million downloads weekly. The malware features a multi-stage payload that establishes persistence and connects to command and control infrastructure, executing on import rather than install. It includes capabilities for credential theft targeting browsers, SSH keys, cloud credentials, and cryptocurrency wallets. The payload shares technical characteristics with the Miasma malware framework but shows unique features including a comprehensive command framework.