Automated security advisory from SafeDep. This repository depends on an AsyncAPI npm package that an attacker compromised on 14 July 2026. We found the repo through the GitHub dependency graph, so you may already run a safe version. Confirm before making changes.
What happened
An attacker published trojanized releases of four AsyncAPI packages. The malicious code pulls the Miasma RAT from IPFS and harvests browser data, SSH keys, npm tokens, GitHub CLI credentials, AWS secrets, and crypto wallets. It drops a persistent backdoor named sync.js.
Malicious versions to remove
| Package |
Malicious version |
@asyncapi/generator |
3.3.1 |
@asyncapi/generator-helpers |
1.1.1 |
@asyncapi/generator-components |
0.7.1 |
@asyncapi/specs |
6.11.2, 6.11.2-alpha.1 |
Pin these safe versions
@asyncapi/generator@3.3.0
@asyncapi/generator-helpers@1.1.0
@asyncapi/generator-components@0.7.0
@asyncapi/specs@6.11.1
Update your manifest, delete the resolved entries from your lockfile, then reinstall.
Check whether you pulled the malicious build
Grep your lockfile for the versions above. Then look for the dropped backdoor:
- Linux:
~/.local/share/NodeJS/sync.js
- macOS:
~/Library/Application Support/NodeJS/sync.js
- Windows:
%LOCALAPPDATA%\NodeJS\sync.js
Watch for outbound traffic to 85.137.53.71 on ports 8080, 8081, and 8091.
If a malicious version reached your machine
Rotate every credential on it: npm tokens, GitHub tokens, SSH keys, AWS access keys, browser-stored passwords, and wallet keys. Rotate this repository's write tokens as well.
Full analysis
https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/
Automated security advisory from SafeDep. This repository depends on an AsyncAPI npm package that an attacker compromised on 14 July 2026. We found the repo through the GitHub dependency graph, so you may already run a safe version. Confirm before making changes.
What happened
An attacker published trojanized releases of four AsyncAPI packages. The malicious code pulls the Miasma RAT from IPFS and harvests browser data, SSH keys, npm tokens, GitHub CLI credentials, AWS secrets, and crypto wallets. It drops a persistent backdoor named
sync.js.Malicious versions to remove
@asyncapi/generator3.3.1@asyncapi/generator-helpers1.1.1@asyncapi/generator-components0.7.1@asyncapi/specs6.11.2,6.11.2-alpha.1Pin these safe versions
Update your manifest, delete the resolved entries from your lockfile, then reinstall.
Check whether you pulled the malicious build
Grep your lockfile for the versions above. Then look for the dropped backdoor:
~/.local/share/NodeJS/sync.js~/Library/Application Support/NodeJS/sync.js%LOCALAPPDATA%\NodeJS\sync.jsWatch for outbound traffic to
85.137.53.71on ports 8080, 8081, and 8091.If a malicious version reached your machine
Rotate every credential on it: npm tokens, GitHub tokens, SSH keys, AWS access keys, browser-stored passwords, and wallet keys. Rotate this repository's write tokens as well.
Full analysis
https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/