Unpacking the AsyncAPI npm supply chain compromise and import-time payload delivery
Essential information
- Published
- 16/07/2026 08:59
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- asyncapi bluerabbit gigawiper miasma npm compromise
- Related entities
- 7 indicators, 1 observables, 23 techniques (mitre), 3 malware
Description
On July 14, 2026, a coordinated supply chain attack compromised the @asyncapi npm organization, affecting five package versions across four packages. The attack originated from a GitHub Actions workflow vulnerability that exposed privileged credentials, enabling unauthorized code injection. Unlike typical postinstall attacks, this campaign executes at module import time, bypassing common npm install --ignore-scripts protections. The malicious code spawned hidden processes that fetched a second-stage payload from IPFS, deploying the Miasma modular runtime with command-and-control capabilities, persistence mechanisms, and credential harvesting features. The payload included disabled modules for supply-chain propagation, AI-tool poisoning, and sandbox evasion. All compromised packages were published through legitimate GitHub OIDC workflows with valid provenance signatures, masking the malicious activity within trusted release processes.