ctipilot.ch
← Back to the live brief
HIGHNATOB1incident

AsyncAPI npm packages backdoored via a GitHub Actions pull_request_target token theft, delivering a multi-stage IPFS implant (M-RED-TEAM)

discovered 2026-07-14 12:38 UTCrun 2026-07-14T1210Z-intel2 sourcesmulti-source

On 2026-07-14 an attacker compromised the asyncapi/generator GitHub repository by abusing a pull_request_target workflow that checked out the pull request's own code while still running "in the context of the base repository with full access to secrets" (Wiz, 2026-07-14). The attacker opened 37 pull requests — almost all a decoy adding a fake charity-donation page — while a single one (PR #2155, 05:08 UTC) carried obfuscated JavaScript that scanned the Actions runner environment for secrets and exfiltrated them to a paste-site dead drop, capturing the token of asyncapi-bot, a service account with organization-wide access; by 06:58 UTC the attacker pushed a malicious commit to the next branch and from 07:10 UTC the release workflow published five trojanized versions across four packages — @asyncapi/generator 3.3.1, @asyncapi/generator-helpers 1.1.1, @asyncapi/generator-components 0.7.1, and @asyncapi/specs 6.11.2 and 6.11.2-alpha.1 — which "combined, these packages see over three million downloads a week" (Wiz, 2026-07-14). A contributor had opened a fix for the vulnerable workflow on 2026-05-17; it was still unmerged 58 days later when the attack landed.

The injected code executes on import/require, not at install time: it spawns a detached Node child process that downloads a later stage from IPFS into a per-user application-support directory, then runs an encrypted multi-stage bundle whose runtime "explicitly self-identifies as 'M-RED-TEAM v6.4' in code comments" (Wiz, 2026-07-14). It establishes persistence via a systemd user service on Linux (with platform-specific equivalents on macOS and Windows) and beacons over multiple command-and-control channels — HTTP, Nostr relays, Ethereum smart contracts, and a libp2p mesh — accepting remote commands for file operations, directory listing and data exfiltration; its obfuscation uses javascript-obfuscator with a custom base64 alphabet matching prior incidents. The bundle carries credential-theft capabilities targeting saved browser passwords and cookies, SSH keys, npm and GitHub tokens, AWS credentials, the macOS Keychain and crypto wallets. Wiz notes technical fingerprints overlapping the Miasma framework (a miasma-branded persistence service and relay tags) and a dead-drop naming pattern matching the separately-tracked prt-scan pull-request-abuse campaign, but states that "beyond the references and initial obfuscation method the payload contains minimal resemblance to previous Miasma and Shai-Hulud payloads" and that "at this time, we are not making any definitive attribution." SafeDep, tracking the same incident, reports the payload self-identifying as miasma-train-p1 rather than Wiz's M-RED-TEAM v6.4 and frames the Miasma link more directly — "this is either a private, parallel build by the same operators or a separate group that adopted the Miasma brand after the source was published" (SafeDep, 2026-07-14); a team hunting code-comment strings should check for both identifiers.

Defender takeaway. This is a recurring 2026 pattern of pull_request_target "pwn request" abuse feeding npm-ecosystem backdoors, and the load-bearing control gap is a CI/CD one: any workflow that triggers on pull_request_target and then checks out untrusted PR code runs attacker code with access to repository secrets. Audit your own Actions workflows for that pattern, and — because the payload runs on import rather than install — a --ignore-scripts install policy does not neutralise it; only pinning to known-good versions and rebuilding from a clean state does.

Triage: a legitimate require() of AsyncAPI tooling performs no runtime network activity; the signal is a detached Node child process spawned from an npm/node parent at import time that reaches out to an IPFS gateway or a peer-to-peer mesh and then creates a user-level persistence service — process-lineage telemetry (a script interpreter spawning a hidden detached child with outbound egress) plus a new systemd/user-service artifact created outside a package-manager transaction is the discriminator, since benign build tooling produces neither.

On July 14, 2026, an attacker opened 37 pull requests to the AsyncAPI generator repository. Almost all attempted to add a fake charity donation page.

The payload executes on import/require, not install.

The payload includes credential theft capabilities targeting browser saved passwords and cookies (Chrome, Brave, Firefox, Edge), SSH keys, npm and GitHub tokens, AWS credentials, macOS Keychain, and cryptocurrency wallets.

Wiz 2026-07-14

This is either a private, parallel build by the same operators or a separate group that adopted the Miasma brand after the source was published.

SafeDep 2026-07-14

Defender actions

  • Inventory CI/CD pipelines and developer hosts for imports of @asyncapi/generator 3.3.1, @asyncapi/generator-helpers 1.1.1, @asyncapi/generator-components 0.7.1, @asyncapi/specs 6.11.2 or 6.11.2-alpha.1 published on 2026-07-14; downgrade to the immediately preceding releases (3.3.0 / 1.1.0 / 0.7.0 / 6.11.1) and, where any affected version was imported, rotate npm, GitHub, cloud (AWS) and SSH credentials from a clean host — the implant runs on import, not install.

ATT&CK mapping

7 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1195.002Supply Chain Compromise: Compromise Software Supply Chain

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

overlap matrix · ATT&CK page ↗

Execution TA0002
T1059.007Command and Scripting Interpreter: JavaScript

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.

overlap matrix · ATT&CK page ↗

Persistence TA0003
T1543.002Create or Modify System Process: Systemd Service

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1543.002Create or Modify System Process: Systemd Service

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

overlap matrix · ATT&CK page ↗

Stealth TA0005
T1027Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

overlap matrix · ATT&CK page ↗

Credential Access TA0006
T1528Steal Application Access Token

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

overlap matrix · ATT&CK page ↗

Command and Control TA0011
T1071.001Application Layer Protocol: Web Protocols

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

overlap matrix · ATT&CK page ↗

T1105Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.