AsyncAPI compromis : quatre paquets npm qui alimentaient une botnet

15 juil. 2026

AsyncAPI compromis : quatre paquets npm qui alimentaient une botnet

Translating article content

I need to replace the text in h3 and h4 tags with their French equivalents while keeping the tags intact. There’s no need to translate image tags since there aren’t any present, just a script embed for Instagram. That’s fine. I will draft the article in French, maintaining a similar structure to the original. The content discusses AsyncAPI being linked to software supply chain attacks and also mentions malware and infected package versions.Explaining malware in code

I’m looking at a point about how malware can be hidden in source code rather than just in install scripts. This malicious code can get through script blockers and trigger payloads upon loading, acting as a background process. Then, there’s a focus on how trust in npm relies on metadata associated with GitHub Actions. This metadata should correspond across generator packages. It highlights the importance of metadata in establishing provenance, even if it doesn’t guarantee the content’s safety. The discussion also outlines three stages of the payload, detailing how it gets implanted, downloaded, and decrypted.Detailing the stages of malware

In Stage 2, the downloader fetches sync.js through an IPFS gateway, copying directory structures for various operating systems like Windows, macOS, and Linux. After writing this, another Node process begins to run an 8.25 MB file. Moving to Stage 3, sync.js acts as a wrapper for decrypting Miasma, employing methods like HKDF-SHA256 and AES-256-GCM along with character rotation to execute an additional 3.09 MB of JavaScript. Miasma also acts as its task framework, configuring targeting specifics while marking npm as the main target ecosystem.Describing malware infrastructure

The C2 infrastructure operates on a single IPv4 address with endpoints using REST on ports 8080, 8081, and 8091. It has dormant modules for Nostr, IPFS, Ethereum RPC, and more, confirmed to have functional handlers for various actions. Persistence on Linux is set through a user systemd unit as miasma-monitor. Next, just having an affected package in a lockfile doesn’t necessarily compromise a host; specific interactions are needed for exposure. Cleanup isn’t as simple, since deleting node_modules doesn’t reverse the effects left by prior stages; traces remain.Translating AsyncAPI article

I need to create a checklist for teams using AsyncAPI, starting with auditing the dependency tree and fixing versions, then checking GitHub audit logs. We should treat CI runners that used these packages as forensic cases. For the French translation, I’ll keep h3 and h4 headings, translating everything but code elements. Many parts need to be rewritten, such as the description of AsyncAPI’s involvement in supply chain attacks, malware classifications, and the importance of metadata and exposure. I’ll ensure clear translation while maintaining structure!

Fabien Delpont

Auteur

Fabien Delpont

Fabien Delpont, développeur et créateur du site Python Doctor.