2026-07-16 · view entry permalink →
AsyncAPI npm compromise — the trojanized packages shipped valid npm/OIDC provenance attestations (Microsoft forensic timeline)
UPDATE · originally covered AsyncAPI npm packages backdoored via a GitHub Actions pull_request_target token theft, delivering a multi-stage IPFS implant (M-RED-TEAM) (2026-07-14)
Microsoft Threat Intelligence published a forensic timeline of the AsyncAPI npm compromise that adds a detail with broad supply-chain-defence implications (Microsoft Threat Intelligence, 2026-07-15). Once the attacker held push access as the AsyncAPI service account (via the pull_request_target misconfiguration covered in the original entry), no npm-token theft was needed: a direct push to a release-triggering branch ran the project's own legitimate release-with-changesets workflow, which published the packages via npm trusted publishing over GitHub OIDC. As a result the five trojanized versions carry cryptographically valid provenance attestations that correctly identify the real repository, commit and workflow — even though the triggering commit was unauthorized (Microsoft Threat Intelligence, 2026-07-15).
Two further deltas: the payload triggers at import time (embedded in one file per package — index.js for the specs package, validator.js/utils.js/ErrorHandling.js for the generator family) and unwraps an IPFS-fetched bundle through three static-key crypto layers to an eval(), so npm install --ignore-scripts provides no protection; and Microsoft recovered all three self-identifying strings — M-RED-TEAM v6.4, miasma-train-p1 and miasma-test-org — from one binary, resolving the identifier ambiguity across the original reporting. Unit 42 independently corroborates the timeline and identifies the payload as a descendant of the same Miasma RAT deployed in the June 2026 Red Hat supply-chain operation (Unit 42, 2026-07-15).
All five malicious versions were published through npm trusted publishing using GitHub OIDC and carried valid provenance attestations. The attestations accurately identified the legitimate repositories, commits, and workflows that created the packages, even though the triggering commits were unauthorized.
Do not rely on npm install –ignore-scripts as a mitigation; this campaign executes when the module is imported, not through a lifecycle hook.