Miasma Turns Trusted npm Packages Into Persistent Backdoors for Developer Machines

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Miasma has returned through software packages that many developers would normally trust. Four AsyncAPI packages on npm were altered to deliver a Miasma v3 payload, creating a route for long-term remote access.

The campaign does not depend on malware running when a package is installed. Instead, hidden code activates when an application, generator, or build process loads an affected module, which can leave exposure unnoticed until later.

JFrog researchers identified the activity after tracing the modified releases and decoding the downloaded payload. 

JFrog said in a report shared with Cyber Security News (CSN). Valid package origin records cannot protect projects if attackers alter a release-triggering source branch.

A compromised account or build runner can expose source code, package registry tokens, cloud credentials, signing keys, and deployment secrets, while the attacker retains an encrypted channel for further commands.

Miasma Turns Trusted npm Packages Into Persistent Backdoors

The affected releases were published through AsyncAPI’s legitimate GitHub Actions release workflow using npm’s OIDC trusted-publisher integration.

The packages carried valid provenance attestations, but the release process followed an unauthorized direct commit to the repository’s release-triggering branch.

That sequence matters because the workflow did exactly what it was designed to do: publish code from the project.

An unsigned commit associated with GitHub’s invalid-email placeholder (Source – JFrog)

Provenance could accurately point to the real repository and workflow, yet it could not determine whether the code change itself had been reviewed or authorized.

The compromised packages contain no malicious preinstall, install, or postinstall script. Attackers placed an obfuscated block inside ordinary source files where network access and process creation would not be expected, using whitespace to hide it during review.

When Node.js loads the modified module, the code starts a detached child process and allows the normal application or CI task to continue.

It retrieves a second-stage file from an IPFS gateway, writes it into a user-profile directory under a plausible name, and starts it in the background.

The recovered second stage identifies itself as Miasma v3. Although its wider codebase contains functions for credential theft, package propagation, AI-tool poisoning, and mutation, the observed configuration enables persistence, remote communications, shell execution, and payload replacement rather than automatic spreading.

A project that merely contains an affected version may not have executed it, but a developer machine, documentation job, container build, or CI runner that loaded affected code should be treated as potentially compromised.

Persistent Access Raises the Stakes

Miasma v3 establishes encrypted communications and checks for new infrastructure or payloads.

Its active command handler can run arbitrary shell commands, return output, fetch replacement code from IPFS, and alter its callback interval, giving an operator control as the breached account.

The malware also attempts user-level persistence on Linux, Windows, and macOS. Some methods may fail, but this does not prevent the initial backdoor or active command channel.

Organizations should identify repositories, lockfiles, caches, build logs, container images, and CI runs containing the affected releases.

AsyncAPI npm package (Source – JFrog)

They should determine whether modules were loaded, then hunt for detached Node.js children, access to the listed IPFS content identifier, and execution of node from a user profile.

Where execution is confirmed or cannot be excluded, responders should isolate the developer endpoint or runner and preserve process, filesystem, network, shell, CI, GitHub audit, and package evidence before cleanup.

Affected releases should be removed, clean versions installed, and lockfiles regenerated from trusted metadata.

Defenders should block the listed network indicators, remove the payload, lock, identity, and persistence artifacts, and inspect shell startup files for the supplied marker.

Credentials reachable from affected systems, including npm, GitHub, cloud, SSH, signing, deployment, and CI credentials, should be rotated from a clean device.

Finally, organizations should rebuild confirmed stage-three systems from known-clean images when forensic scoping is incomplete.

Release-triggering branches need enforced review, strong branch protections, narrow workflow permissions, and checks of GitHub and npm publishing settings to prevent a trusted pipeline being reused against users.

Indicators of compromise (IoCs):-

Type Indicator Description
Affected npm package @asyncapi/generator version 3.3.1 Malicious Miasma v3 package release 
Affected npm package @asyncapi/generator-helpers version 1.1.1 Malicious Miasma v3 package release 
Affected npm package @asyncapi/generator-components version 0.7.1 Malicious Miasma v3 package release 
Affected npm package @asyncapi/specs versions 6.11.26.11.2-alpha.1 Malicious Miasma v3 package releases 
IPFS download URL hxxps://ipfs[.]io/ipfs/QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9 Second-stage payload retrieval location 
IPFS CID QmQobZSp1wRPrpSEQ56qnyq7ecZh5Bg5k1fnjt4SUwwHb9 Exact malicious IPFS content identifier 
C2 server hxxp://85.137.53[.]71:8080 Primary command-and-control endpoint 
Upload server hxxp://85.137.53[.]71:8081 Data-upload endpoint 
C2 proxy management hxxp://85.137.53[.]71:8091 Command-and-control proxy-management endpoint 
Campaign identifier miasma-train-p1 Embedded campaign and target name 
HTTP header X-Miasma-Spawn-Chain Protocol indicator used in HTTP traffic 
mDNS service miasma.tcp Local network discovery indicator 
Ethereum contract 0x12c37A86a0Ed0beBe5d1d6a43E42f07860eAc710 Resilient discovery or update mechanism 
Linux payload ~/.config/systemd/user/NodeJS/sync.js Linux user-profile payload location 
macOS payload ~/Library/Application Support/NodeJS/sync.js macOS user-profile payload location 
Windows payload %LOCALAPPDATA%\NodeJS\sync.js Windows user-profile payload location 
Singleton lock run/node.lock Miasma process lock artifact 
Linux identity file ~/.cache/mesa/shadercache/glcache.bin Camouflaged victim identity artifact 
macOS identity file ~/Library/Application Support/com.apple.spotlightindex-v2.cache Camouflaged victim identity artifact 
Windows identity file %USERPROFILE%\.dat Camouflaged victim identity artifact 
Linux persistence miasma-monitor.service User-level systemd persistence artifact 
macOS persistence marker Node Auto-Update Script Shell startup-file persistence marker 
Windows persistence HKCU\...\monitor Registry-based user-level persistence artifact 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Help your security team focus on the that matter most. Use ANY.RUN Threat Intelligence Feeds to automate enrichment and improve detection accuracy.