{
  "name": "Supply Chain Compromise via GitHub Actions",
  "slug": "supply-chain-compromise-via-github-actions",
  "description": "On July 14, 2026, an attacker exploited a misconfigured GitHub Actions workflow in the AsyncAPI generator repository through a 'pwn request' vulnerability. The attacker opened 37 pull requests, with one containing obfuscated JavaScript that exfiltrated a highly privileged Personal Access Token belonging to asyncapi-bot. Using the stolen credentials, the attacker published five malicious npm package versions under the @asyncapi namespace, which collectively receive over three million downloads weekly. The malware features a multi-stage payload that establishes persistence and connects to command and control infrastructure, executing on import rather than install. It includes capabilities for credential theft targeting browsers, SSH keys, cloud credentials, and cryptocurrency wallets. The payload shares technical characteristics with the Miasma malware framework but shows unique features including a comprehensive command framework.",
  "published": "2026-07-14T16:36:48.773000+00:00",
  "created_at": "2026-07-14T17:30:06.959000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-07-14T17:30:06.959000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "asyncapi",
    "credential theft",
    "github actions",
    "ipfs",
    "m-red-team",
    "miasma",
    "nostr relay",
    "npm supply chain attack",
    "pwn request"
  ],
  "tags": [],
  "related_entities": {
    "attack_patterns": [
      {
        "id": "7e3e3784-9547-42ca-b888-482972d14be3",
        "name": "T1528"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "e87116ac-f56b-4b15-a5e2-a4ed737555d5",
        "name": "T1543.002"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "9f21708c-24b6-46b5-bf7e-522256e8470c",
        "name": "T1552.004"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4",
        "name": "T1195.002"
      },
      {
        "id": "759720f6-8f0f-4017-ab21-7ac30d0bf46f",
        "name": "T1555.001"
      },
      {
        "id": "ee82762a-2958-4901-aade-341277d9b410",
        "name": "T1078.004"
      },
      {
        "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9",
        "name": "T1132.001"
      },
      {
        "id": "8598a502-2b24-4c8a-8ec3-45179f49e5b7",
        "name": "T1199"
      },
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "ce39cd5d-9e4c-4138-b546-abd68e57f8c2",
        "name": "T1071.004"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "malware": [
      {
        "id": "2f504a89-03b5-446f-9820-2df5e962a0d1",
        "name": "Miasma",
        "slug": "miasma"
      },
      {
        "id": "efe7cd32-640a-4655-96b1-6f8c7b3fa60b",
        "name": "M-RED-TEAM"
      }
    ]
  },
  "external_refs": [
    {
      "id": "88ca2144-1478-4cbc-be57-9741d09571bd",
      "standard_id": "external-reference--427adf40-4584-54ab-9bb1-85f261de8fff",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a5665a03fa69522f5e6c982",
      "hash": null,
      "external_id": "6a5665a03fa69522f5e6c982",
      "created": "2026-07-14T17:30:06.874Z",
      "modified": "2026-07-14T17:30:06.874Z",
      "createdById": null
    },
    {
      "id": "9670cb2b-7546-44ac-8cff-804e4ed2b6bf",
      "standard_id": "external-reference--b11b055f-c28d-58b1-bc26-cdbffe72b92a",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.wiz.io/blog/m-red-team-asyncapi-supply-chain-compromise-via-github-actions",
      "hash": null,
      "external_id": null,
      "created": "2026-07-14T17:30:06.901Z",
      "modified": "2026-07-14T17:30:06.901Z",
      "createdById": null
    }
  ]
}