AsyncAPI npm packages infected with credential-stealing malware

by · BleepingComputer

Five malicious versions of AsyncAPI packages were published to the Node Package Manager (npm) in a supply-chain attack that delivered a remote access trojan with info-stealing capabilities.

The threat actor exploited a misconfigured GitHub Actions workflow and pushed trojanized packages in the @asyncapi namespace that had a cummulative weekly download count of more than 2.25 million.

Multiple security companies confirmed that on July 14, an attacker compromised two AsyncAPI GitHub repositories and injected malware into project files.

“Both attacks are CI/CD pipeline compromises, not stolen npm tokens or malicious maintainers,” reads a report from Step Security.

The researchers explain that "the attacker pushed commits under a placeholder git identity and let each repository's real release workflow do the publishing via npm's GitHub OIDC trusted-publisher integration."

In doing so, the attacker ensured that the resulting packages had the legitimate SLSA provenance attestations, indicating that they originated from an authorized workflow.

The malicious AsyncAPI packages pushed to npm are:

Application security company Socket notes that the first-stage implant in the published packages is an obfuscated JavaScript statement that ultimately triggers a downloader when the infected file is imported.

A second-stage script, which contains configuration details and the main runtime, is retrieved from the IPFS peer-to-peer content delivery network and launched as a hidden process.

Cloud and application security company Wiz says that the third-stage payload "is a 92,000-line malware framework with modular architecture," which establishes persistence on the system and communicates with the command-and-control (C2) server over several channels: HTTP, Nostr relays, Ethereum smart contracts, and a libp2p mesh network.

Attack flow diagram
Source: Step Security

Although the final payload uses artifact names and configuration files pointing to the Miasma backdoor seen in past supply-chain attacks [1, 2], SafeDep researchers believe that the malware is "either a private, parallel build by the same operators or a separate group that adopted the Miasma brand after the source was published."

Its purpose appears to be stealing secrets, which include credentials, authentication keys, tokens, browser data, sensitive info from CI/CD systems and AI developer tools, cryptocurrency wallets, and databases.

Additionally, the malware code allows it to download the Gitleaks and HackBrowserData tools to help with collecting sensitive info.

However, a report from cybersecurity company Aikido notes that all these functions do not work and the data harvesting tool exits before collecting anything. Nevertheless, the researchers say that all this can be achieved manually using the shell.

Ox Security also noted that the malware performs a local check for Russia, and if there’s a match, it terminates its process.

As of writing, all five versions of the four malicious packages have been removed from npm, but developers should note that existing installations and lock files created during the exposure window may still contain the malicious releases.

The exposure window extends to approximately four hours and seven minutes, between 07:10 and 11:18 UTC on July 14.

The recommended action is to pin to known-good files, regenerate lock files, remove the hidden ‘NodeJS/sync.js’ payload, terminate all malicious processes, and rotate credentials on the impacted systems.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper