Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Flaw: OAuth Client ID Spoofing Exposes 2 Million Entra ID Users
July 14, 2026
Critical Claude for Chrome Flaw Exposes Gmail, Docs, Calendar Data
July 14, 2026
Critical Vulnerability in AsyncAPI npm Packages Exposes Users to Attack
July 14, 2026
Home/Threats/Miasma Malware Creates Backdoors in npm Packages, Targets Dev Machines
Threats

Miasma Malware Creates Backdoors in npm Packages, Targets Dev Machines

Key Takeaways Miasma v3 malware has re-emerged, infecting four legitimate AsyncAPI packages on npm. The malware establishes persistent backdoors on developer machines, allowing remote access and...

Jennifer sherman
Jennifer sherman
July 14, 2026 3 Min Read
4 0

Key Takeaways

  • Miasma v3 malware has re-emerged, infecting four legitimate AsyncAPI packages on npm.
  • The malware establishes persistent backdoors on developer machines, allowing remote access and control.
  • Unlike typical malware, Miasma v3 activates when an infected module is loaded, not during package installation, making detection difficult.
  • Compromised systems could expose sensitive data like source code, cloud credentials, and signing keys.
  • Immediate action is required to identify, isolate, and remediate affected systems and rotate all relevant credentials.

The Miasma malware has resurfaced, infiltrating trusted software packages used by numerous developers. Four AsyncAPI packages available on npm were maliciously altered to deliver a Miasma v3 payload, thereby creating persistent backdoors for remote access to affected systems.

Table Of Content

  • Key Takeaways
  • Miasma Turns Trusted npm Packages Into Persistent Backdoors
  • Persistent Access Raises the Stakes
  • Indicators of Compromise (IoCs)

This sophisticated campaign distinguishes itself by not relying on malware execution during package installation. Instead, the hidden malicious code activates when an application, code generator, or build process loads an infected module. This delayed activation can allow the compromise to go unnoticed for an extended period, increasing the potential for damage.

Researchers at JFrog uncovered this activity by meticulously tracking the modified releases and successfully decoding the downloaded payload. JFrog said in a report that traditional package origin records cannot fully protect projects when attackers manage to alter a source branch responsible for triggering releases.

A compromised account or build runner can lead to the exposure of critical assets, including source code, package registry tokens, cloud credentials, signing keys, and deployment secrets. Furthermore, the attacker gains an encrypted communication channel, enabling further commands and control over the compromised environment.

Miasma Turns Trusted npm Packages Into Persistent Backdoors

The tainted releases were published through AsyncAPI’s legitimate GitHub Actions release workflow, leveraging npm’s OIDC trusted-publisher integration. While these packages carried valid provenance attestations, the release process was subverted through an unauthorized direct commit to the repository’s release-triggering branch. This sequence is crucial because the workflow executed its intended function: publishing code from the project. Consequently, provenance accurately indicated the genuine repository and workflow but could not ascertain whether the underlying code change itself had undergone proper review or authorization.

The compromised packages do not contain malicious preinstall, install, or postinstall scripts. Instead, attackers embedded an obfuscated code block within standard source files, where network access and process creation would typically be unexpected. This malicious code was further concealed using whitespace to evade detection during code reviews.

When Node.js loads a modified module, the embedded code initiates a detached child process, allowing the legitimate application or CI task to proceed without interruption. This child process then retrieves a second-stage file from an IPFS gateway, writes it to a user-profile directory under a deceptive, plausible filename, and executes it in the background.

The recovered second-stage payload has been identified as Miasma v3. While its broader codebase includes capabilities for credential theft, package propagation, AI-tool poisoning, and mutation, the specific configuration observed primarily focuses on achieving persistence, establishing remote communications, enabling shell execution, and facilitating payload replacement, rather than automatic self-spreading.

Any project merely containing an affected version might not have executed the malware. However, a developer machine, documentation generation job, container build, or CI runner that loaded any of the affected code should be considered potentially compromised.

Persistent Access Raises the Stakes

Miasma v3 establishes encrypted communication channels and actively checks for updates to its infrastructure or new payloads. Its robust command handler allows an operator to execute arbitrary shell commands, receive output, fetch replacement code from IPFS, and modify its callback interval, effectively granting the attacker full control under the breached account’s privileges.

The malware also attempts to achieve user-level persistence across Linux, Windows, and macOS operating systems. While some of these persistence methods may fail, this does not impede the initial backdoor or the active command-and-control channel from functioning.

Indicators of Compromise (IoCs)

Type Indicator Description
Affected npm package @asyncapi/generator version 3.3.1 Malicious Miasma v3 package release
Affected npm package @asyncapi/generator-helpers version 1.1.1 Malicious Miasma v3 package release
Affected npm package @asyncapi/generator-components version 0.7.1 Malicious Miasma v3 package release <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/7a2f5125-7cae-4946-9cd1-760a6b0e6b82/Miasma-Turns-Trusted-npm-Packages-Into-Persistent-Backdoors-for-Developer-Machines.pdf?AWSAccessKeyId=ASIA2F3EMEYESFHHMNWX&Signature=JRIyAFTD%2Fyu5qFeBtNS3FnLYynM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEE8aCXVzLWVhc3QtMSJIMEYCIQCdalbLnpLOH65Y0gZ%2BEbMoiuACEJ%2B5eDsaV1K8PhL0pgIhAPoUgdLOJkm4Gb%2BotqSlf2HJjAFENN7OlsaHX4vesI3NKvMECBcQARoMNjk5NzUzMzA5NzA1IgxjWx%2F18NAQCSFUtRcq0ARQzHwu5Ov2sLr1i%2Bk64q0ewYXoO3HXNjhQu7JhSO4WJ0oPZCXeTZ6PkuIAei45M6iXMjK%2F%2B9T53JHgcPzsn7k3z13s0ZfsmGszZa2YWRvkqFKNqqc1JHTTdAzjxmu8mjLNgasDn%2FJWDLBOuBeZvfMjjYeRWKjTk%2FGa3ItXps2nnZpu99Y9siINznWc0WErIumy%2BkOkaaJxPBMqJc51jJp7o83SPq%2Ft271ioyzjBZQZQ0h3R5zloKAsL2aqKmq%2Fjp6gFW1eeUcgkJ1VUc2VOzltdHN9wgoY6mYaXj1l50jgRxEGBYLArWgD5MusfkWevLeAyHiKHDmo7HqLb%2FLPkdnjopDr5eH%2BBdR0

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical UEFI Shim Flaw Lets Attackers Bypass Secure Boot

Next Post

SOC Efficiency: Cut Alert Overload and MTTR by 21 Minutes Per Case

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Miasma Malware Creates Backdoors in npm Packages, Targets Dev Machines
July 14, 2026
Critical UEFI Shim Flaw Lets Attackers Bypass Secure Boot
July 14, 2026
xAI Grok CLI Exposed Git Repos and .env Secrets on Cloud Storage
July 14, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us