ctipilot.ch
← Back to the live brief
NOTABLEupdateNATOB1incident

AsyncAPI npm compromise — the trojanized packages shipped valid npm/OIDC provenance attestations (Microsoft forensic timeline)

discovered 2026-07-16 04:44 UTCrun 2026-07-16T0409Z-intel2 sourcesmulti-source

UPDATE · originally covered AsyncAPI npm packages backdoored via a GitHub Actions pull_request_target token theft, delivering a multi-stage IPFS implant (M-RED-TEAM) (2026-07-14)

Microsoft Threat Intelligence published a forensic timeline of the AsyncAPI npm compromise that adds a detail with broad supply-chain-defence implications (Microsoft Threat Intelligence, 2026-07-15). Once the attacker held push access as the AsyncAPI service account (via the pull_request_target misconfiguration covered in the original entry), no npm-token theft was needed: a direct push to a release-triggering branch ran the project's own legitimate release-with-changesets workflow, which published the packages via npm trusted publishing over GitHub OIDC. As a result the five trojanized versions carry cryptographically valid provenance attestations that correctly identify the real repository, commit and workflow — even though the triggering commit was unauthorized (Microsoft Threat Intelligence, 2026-07-15).

Two further deltas: the payload triggers at import time (embedded in one file per package — index.js for the specs package, validator.js/utils.js/ErrorHandling.js for the generator family) and unwraps an IPFS-fetched bundle through three static-key crypto layers to an eval(), so npm install --ignore-scripts provides no protection; and Microsoft recovered all three self-identifying strings — M-RED-TEAM v6.4, miasma-train-p1 and miasma-test-org — from one binary, resolving the identifier ambiguity across the original reporting. Unit 42 independently corroborates the timeline and identifies the payload as a descendant of the same Miasma RAT deployed in the June 2026 Red Hat supply-chain operation (Unit 42, 2026-07-15).

All five malicious versions were published through npm trusted publishing using GitHub OIDC and carried valid provenance attestations. The attestations accurately identified the legitimate repositories, commits, and workflows that created the packages, even though the triggering commits were unauthorized.

Do not rely on npm install –ignore-scripts as a mitigation; this campaign executes when the module is imported, not through a lifecycle hook.

Microsoft Threat Intelligence 2026-07-15

Defender actions

  • Extend branch-protection and required reviews to every branch that can trigger a publish/release workflow — not just the default branch — since a valid npm/OIDC provenance attestation confirms which pipeline built an artifact but not that the triggering commit was authorized.

ATT&CK mapping

4 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1195.002Supply Chain Compromise: Compromise Software Supply Chain

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

overlap matrix · ATT&CK page ↗

Execution TA0002
T1059.007Command and Scripting Interpreter: JavaScript

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.

overlap matrix · ATT&CK page ↗

Stealth TA0005
T1027Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

overlap matrix · ATT&CK page ↗

Command and Control TA0011
T1105Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.