AsyncAPI npm Packages Poisoned in CI/CD Supply Chain Attack Delivering Miasma RAT
On July 14, 2026, security researchers discovered a supply chain attack targeting the AsyncAPI open-source project, in which four widely used npm packages were compromised. Attackers gained unauthorized write access to official AsyncAPI GitHub repositories and pushed malicious commits to a development branch, hijacking the project's automated CI/CD pipeline to publish poisoned package versions. Because the build process was exploited rather than npm credentials stolen, the malicious packages carried valid provenance attestations, making them appear legitimate. The embedded malware acted as a dropper that executed when the library was loaded by an application, ultimately installing Miasma RAT — a cross-platform Remote Access Trojan capable of data exfiltration, persistence, and lateral movement. The incident underscores a critical blind spot in software supply chain security: publisher identity verification alone cannot guarantee the integrity of code if the underlying build infrastructure is compromised.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in