Automated security advisory from SafeDep. On 14 July 2026, between 07:10 and 08:30 UTC, an attacker published malicious versions of four AsyncAPI npm packages. This repository's dependency graph includes one of them, so we are notifying you as a precaution. You are most likely not affected. You are only at risk if your install resolved one of the exact malicious versions below. Please check and confirm.
How your repository pulls this in
GitHub's dependency graph for this repository resolves the affected package through the path(s) below:
LeadMagic/leadmagic-openapi → @stoplight/spectral-cli@6.15.0 → @stoplight/spectral-rulesets@1.22.1 → @asyncapi/specs@6.11.1
None of the resolved versions above are malicious releases, so this repository is not affected. Pin the safe versions as a precaution.
Verify independently: https://github.com/LeadMagic/leadmagic-openapi/network/dependencies
The malicious versions
| Package |
Malicious version |
Last safe version |
@asyncapi/generator |
3.3.1 |
3.3.0 |
@asyncapi/generator-helpers |
1.1.1 |
1.1.0 |
@asyncapi/generator-components |
0.7.1 |
0.7.0 |
@asyncapi/specs |
6.11.2, 6.11.2-alpha.1 |
6.11.1 |
The malicious code pulls the Miasma RAT from IPFS and harvests browser data, SSH keys, npm tokens, GitHub CLI credentials, AWS secrets, and crypto wallets. It drops a persistent backdoor named sync.js.
Check whether the bad version reached you
Grep your committed lockfile (package-lock.json, pnpm-lock.yaml, yarn.lock) for the malicious versions above. If none appear, you are not affected. Pin the safe versions anyway as a precaution.
If a malicious version is present
Pin the safe versions:
@asyncapi/generator@3.3.0
@asyncapi/generator-helpers@1.1.0
@asyncapi/generator-components@0.7.0
@asyncapi/specs@6.11.1
Then check the machine that ran the install for the dropped backdoor:
- Linux:
~/.local/share/NodeJS/sync.js
- macOS:
~/Library/Application Support/NodeJS/sync.js
- Windows:
%LOCALAPPDATA%\NodeJS\sync.js
Watch for outbound traffic to 85.137.53.71 on ports 8080, 8081, and 8091. If you find any of these, rotate every credential on that machine: npm tokens, GitHub tokens, SSH keys, AWS access keys, browser-stored passwords, and wallet keys.
Full analysis
https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/
Automated security advisory from SafeDep. On 14 July 2026, between 07:10 and 08:30 UTC, an attacker published malicious versions of four AsyncAPI npm packages. This repository's dependency graph includes one of them, so we are notifying you as a precaution. You are most likely not affected. You are only at risk if your install resolved one of the exact malicious versions below. Please check and confirm.
How your repository pulls this in
GitHub's dependency graph for this repository resolves the affected package through the path(s) below:
LeadMagic/leadmagic-openapi→@stoplight/spectral-cli@6.15.0→@stoplight/spectral-rulesets@1.22.1→@asyncapi/specs@6.11.1None of the resolved versions above are malicious releases, so this repository is not affected. Pin the safe versions as a precaution.
Verify independently: https://github.com/LeadMagic/leadmagic-openapi/network/dependencies
The malicious versions
@asyncapi/generator3.3.13.3.0@asyncapi/generator-helpers1.1.11.1.0@asyncapi/generator-components0.7.10.7.0@asyncapi/specs6.11.2,6.11.2-alpha.16.11.1The malicious code pulls the Miasma RAT from IPFS and harvests browser data, SSH keys, npm tokens, GitHub CLI credentials, AWS secrets, and crypto wallets. It drops a persistent backdoor named
sync.js.Check whether the bad version reached you
Grep your committed lockfile (
package-lock.json,pnpm-lock.yaml,yarn.lock) for the malicious versions above. If none appear, you are not affected. Pin the safe versions anyway as a precaution.If a malicious version is present
Pin the safe versions:
Then check the machine that ran the install for the dropped backdoor:
~/.local/share/NodeJS/sync.js~/Library/Application Support/NodeJS/sync.js%LOCALAPPDATA%\NodeJS\sync.jsWatch for outbound traffic to
85.137.53.71on ports 8080, 8081, and 8091. If you find any of these, rotate every credential on that machine: npm tokens, GitHub tokens, SSH keys, AWS access keys, browser-stored passwords, and wallet keys.Full analysis
https://safedep.io/asyncapi-generator-supply-chain-attack-miasma-rat/