Skip to content

Security advisory: malicious AsyncAPI package versions published (Miasma RAT) #18

Description

@kunalsingh-safedep

Automated security advisory from SafeDep. On 14 July 2026, between 07:10 and 08:30 UTC, an attacker published malicious versions of four AsyncAPI npm packages. This repository's dependency graph includes one of them, so we are notifying you as a precaution. You are most likely not affected. You are only at risk if your install resolved one of the exact malicious versions below. Please check and confirm.

How your repository pulls this in

GitHub's dependency graph for this repository resolves the affected package through the path(s) below:

  • LeadMagic/leadmagic-openapi@stoplight/spectral-cli@6.15.0@stoplight/spectral-rulesets@1.22.1@asyncapi/specs@6.11.1

None of the resolved versions above are malicious releases, so this repository is not affected. Pin the safe versions as a precaution.

Verify independently: https://github.com/LeadMagic/leadmagic-openapi/network/dependencies

The malicious versions

Package Malicious version Last safe version
@asyncapi/generator 3.3.1 3.3.0
@asyncapi/generator-helpers 1.1.1 1.1.0
@asyncapi/generator-components 0.7.1 0.7.0
@asyncapi/specs 6.11.2, 6.11.2-alpha.1 6.11.1

The malicious code pulls the Miasma RAT from IPFS and harvests browser data, SSH keys, npm tokens, GitHub CLI credentials, AWS secrets, and crypto wallets. It drops a persistent backdoor named sync.js.

Check whether the bad version reached you

Grep your committed lockfile (package-lock.json, pnpm-lock.yaml, yarn.lock) for the malicious versions above. If none appear, you are not affected. Pin the safe versions anyway as a precaution.

If a malicious version is present

Pin the safe versions:

@asyncapi/generator@3.3.0
@asyncapi/generator-helpers@1.1.0
@asyncapi/generator-components@0.7.0
@asyncapi/specs@6.11.1

Then check the machine that ran the install for the dropped backdoor:

  • Linux: ~/.local/share/NodeJS/sync.js
  • macOS: ~/Library/Application Support/NodeJS/sync.js
  • Windows: %LOCALAPPDATA%\NodeJS\sync.js

Watch for outbound traffic to 85.137.53.71 on ports 8080, 8081, and 8091. If you find any of these, rotate every credential on that machine: npm tokens, GitHub tokens, SSH keys, AWS access keys, browser-stored passwords, and wallet keys.

Full analysis

https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions