A supply chain compromise has placed AsyncAPI npm packages at the center of a significant developer security incident. Five trojanized releases with roughly 2.9 million combined weekly downloads were published after an attacker gained access to an npm publishing token through a GitHub Actions workflow vulnerability.
Security firm Aikido identified the malicious releases on July 14. The attack began in the AsyncAPI generator repository, where a GitHub Actions workflow used the pull_request_target trigger. This configuration exposed repository secrets when code from an external pull request was checked out during workflow execution.
The attacker opened multiple pull requests and used one to exfiltrate the npm token to rentry.co before publishing altered packages. The compromised packages delivered Miasma v3, a persistent remote-access backdoor targeting development workstations and build servers.
Miasma establishes persistence through scheduled tasks and system hooks, giving attackers ongoing access to compromised developer environments. The backdoor can steal environment variables, SSH keys, cloud provider credentials, and source code from infected machines.
Organizations should audit npm dependencies for trojanized AsyncAPI packages, rotate exposed credentials, and review GitHub Actions workflows for unsafe pull_request_target usage that could expose repository secrets.
