ctipilot.ch

M-RED-TEAM

tool · tool:m-red-team-malware-framework

Multi-stage Node.js post-compromise implant framework (self-identifies as 'M-RED-TEAM v6.4' in code comments) delivered via an IPFS-hosted encrypted loader; establishes user-level persistence (systemd user service on Linux, platform equivalents on macOS/Windows), beacons over multiple C2 channels (HTTP, Nostr relays, Ethereum smart contracts, libp2p mesh) and carries credential-theft capabilities (browser secrets, SSH keys, npm/GitHub/AWS tokens, macOS Keychain, crypto wallets). First observed in the 2026-07-14 AsyncAPI npm supply-chain compromise (Wiz, 2026-07-14).

Aliases: miasma-train-p1, Miasma RAT

Coverage timeline
1
first 2026-07-14 → last 2026-07-14
Peak priority
high
1 high
Sources cited
2
2 hosts
Sections touched
1
active-threats
Co-occurring entities
3
see Related entities below
ATT&CK techniques
7
pinned v19.1 · see below

Hunting pivots

Affected products
@asyncapi/generator@asyncapi/generator-components@asyncapi/generator-helpers@asyncapi/specs

ATT&CK techniques

7 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1195.002Supply Chain Compromise: Compromise Software Supply Chain×1

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Evidence: 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · ATT&CK page ↗

Execution TA0002

T1059.007Command and Scripting Interpreter: JavaScript×1

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.

Evidence: 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · ATT&CK page ↗

Persistence TA0003

T1543.002Create or Modify System Process: Systemd Service×1

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

Evidence: 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · ATT&CK page ↗

Privilege Escalation TA0004

T1543.002Create or Modify System Process: Systemd Service×1

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

Evidence: 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · ATT&CK page ↗

Stealth TA0005

T1027Obfuscated Files or Information×1

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Evidence: 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · ATT&CK page ↗

Credential Access TA0006

T1528Steal Application Access Token×1

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

Evidence: 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · ATT&CK page ↗

Command and Control TA0011

T1071.001Application Layer Protocol: Web Protocols×1

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · ATT&CK page ↗

T1105Ingress Tool Transfer×1

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

Evidence: 2026-07-14/asyncapi-npm-supply-chain-compromise-github-actions · ATT&CK page ↗

Story timeline

  1. 2026-07-14AsyncAPI npm packages backdoored via a GitHub Actions pull_request_target token theft, delivering a multi-stage IPFS implant (M-RED-TEAM)
    active-threatsAttacker abuses an AsyncAPI GitHub Actions pwn-request to steal a publish token and backdoor five @asyncapi npm versions with a multi-stage implant

Relationships explore in graph

Typed, source-stated connections from the entity registry — each edge cites the entry whose reporting establishes it.

overlaps with

Where this entity is cited

  • active-threats1

Source distribution

  • safedep.io1 (50%)
  • wiz.io1 (50%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about M-RED-TEAM (1)

2026-07-14 · view entry permalink →

HIGHNATOB1

AsyncAPI npm packages backdoored via a GitHub Actions pull_request_target token theft, delivering a multi-stage IPFS implant (M-RED-TEAM)

On 2026-07-14 an attacker compromised the asyncapi/generator GitHub repository by abusing a pull_request_target workflow that checked out the pull request's own code while still running "in the context of the base repository with full access to secrets" (Wiz, 2026-07-14). The attacker opened 37 pull requests — almost all a decoy adding a fake charity-donation page — while a single one (PR #2155, 05:08 UTC) carried obfuscated JavaScript that scanned the Actions runner environment for secrets and exfiltrated them to a paste-site dead drop, capturing the token of asyncapi-bot, a service account with organization-wide access; by 06:58 UTC the attacker pushed a malicious commit to the next branch and from 07:10 UTC the release workflow published five trojanized versions across four packages — @asyncapi/generator 3.3.1, @asyncapi/generator-helpers 1.1.1, @asyncapi/generator-components 0.7.1, and @asyncapi/specs 6.11.2 and 6.11.2-alpha.1 — which "combined, these packages see over three million downloads a week" (Wiz, 2026-07-14). A contributor had opened a fix for the vulnerable workflow on 2026-05-17; it was still unmerged 58 days later when the attack landed.

The injected code executes on import/require, not at install time: it spawns a detached Node child process that downloads a later stage from IPFS into a per-user application-support directory, then runs an encrypted multi-stage bundle whose runtime "explicitly self-identifies as 'M-RED-TEAM v6.4' in code comments" (Wiz, 2026-07-14). It establishes persistence via a systemd user service on Linux (with platform-specific equivalents on macOS and Windows) and beacons over multiple command-and-control channels — HTTP, Nostr relays, Ethereum smart contracts, and a libp2p mesh — accepting remote commands for file operations, directory listing and data exfiltration; its obfuscation uses javascript-obfuscator with a custom base64 alphabet matching prior incidents. The bundle carries credential-theft capabilities targeting saved browser passwords and cookies, SSH keys, npm and GitHub tokens, AWS credentials, the macOS Keychain and crypto wallets. Wiz notes technical fingerprints overlapping the Miasma framework (a miasma-branded persistence service and relay tags) and a dead-drop naming pattern matching the separately-tracked prt-scan pull-request-abuse campaign, but states that "beyond the references and initial obfuscation method the payload contains minimal resemblance to previous Miasma and Shai-Hulud payloads" and that "at this time, we are not making any definitive attribution." SafeDep, tracking the same incident, reports the payload self-identifying as miasma-train-p1 rather than Wiz's M-RED-TEAM v6.4 and frames the Miasma link more directly — "this is either a private, parallel build by the same operators or a separate group that adopted the Miasma brand after the source was published" (SafeDep, 2026-07-14); a team hunting code-comment strings should check for both identifiers.

Defender takeaway. This is a recurring 2026 pattern of pull_request_target "pwn request" abuse feeding npm-ecosystem backdoors, and the load-bearing control gap is a CI/CD one: any workflow that triggers on pull_request_target and then checks out untrusted PR code runs attacker code with access to repository secrets. Audit your own Actions workflows for that pattern, and — because the payload runs on import rather than install — a --ignore-scripts install policy does not neutralise it; only pinning to known-good versions and rebuilding from a clean state does.

Triage: a legitimate require() of AsyncAPI tooling performs no runtime network activity; the signal is a detached Node child process spawned from an npm/node parent at import time that reaches out to an IPFS gateway or a peer-to-peer mesh and then creates a user-level persistence service — process-lineage telemetry (a script interpreter spawning a hidden detached child with outbound egress) plus a new systemd/user-service artifact created outside a package-manager transaction is the discriminator, since benign build tooling produces neither.

On July 14, 2026, an attacker opened 37 pull requests to the AsyncAPI generator repository. Almost all attempted to add a fake charity donation page.

The payload executes on import/require, not install.

The payload includes credential theft capabilities targeting browser saved passwords and cookies (Chrome, Brave, Firefox, Edge), SSH keys, npm and GitHub tokens, AWS credentials, macOS Keychain, and cryptocurrency wallets.

Wiz 2026-07-14

This is either a private, parallel build by the same operators or a separate group that adopted the Miasma brand after the source was published.

SafeDep 2026-07-14
incident14 Jul 12:38Zmulti-sourceOpen finding ↗
Sources: Wiz · SafeDep