Threat Summary
OTX Pulse data reveals a critical supply chain attack targeting the technology sector, specifically leveraging the popular AsyncAPI project. On July 14, 2026, an unidentified threat actor (potentially linked to the "M-RED-TEAM" moniker) exploited a 'pwn request' vulnerability within a misconfigured GitHub Actions workflow.
The attack chain involved the submission of 37 pull requests, one of which contained obfuscated JavaScript designed to trigger a specific environment state. By exploiting the workflow's handling of forked PRs, the attacker successfully exfiltrated a highly privileged Personal Access Token (PAT) associated with the asyncapi-bot. Using these stolen credentials, the actor published five malicious packages to the npm registry. The objective appears to be widespread distribution of the Miasma infostealer to compromise developer environments and steal additional credentials, source code, and cloud keys.
Threat Actor / Malware Profile
Miasma & M-RED-TEAM
- Classification: Infostealer / Supply Chain Compromise Tool
- Primary Vector: Malicious npm Packages (Dependency Confusion / Compromised Publish Credentials)
- Targeted Infrastructure: CI/CD pipelines, Developer workstations, Source repositories
Malware Behavior & Capabilities:
- Distribution: Propagates via malicious npm packages masquerading as legitimate AsyncAPI dependencies or updates.
- Payload Behavior: Upon installation (via
npm install), the malicious JavaScript executes. It is obfuscated to evade static analysis. - C2 Communication: Miasma likely establishes outbound connections to attacker-controlled infrastructure (possibly leveraging IPFS or Nostr relays as mentioned in pulse tags) to exfiltrate harvested data.
- Persistence: The malware seeks persistence within the
node_modulesdirectory or by modifying build scripts to ensure execution during future build processes. - Anti-Analysis: The use of obfuscated JavaScript and the "pwn request" technique indicates an effort to bypass standard repository security scans and workflow restrictions.
IOC Analysis
The current pulse provides 5 SHA1 file hashes. These indicators correspond to the malicious npm package tarballs or the specific JavaScript payloads within the AsyncAPI generator compromise.
Operational Guidance:
- File Hashes (SHA1): Load these into EDR solutions and SIEM correlation rules. They should trigger on any file creation or execution event.
- Tooling: Use
yarato scannode_modulesdirectories. Validate hashes using native tools likeshasum(Linux/macOS) orCertUtil(Windows). - Context: These files represent the artifacts of a supply chain injection. Detection in the environment implies a successful installation of a compromised package.
Detection Engineering
Sigma Rules
title: Potential GitHub Actions Pwn Request Pattern
description: Detects suspicious script execution or variable printing in GitHub Actions logs that may indicate a 'pwn request' attempt to steal repository secrets.
author: Security Arsenal Research
date: 2026/07/14
status: experimental
references:
- https://www.wiz.io/blog/m-red-team-asyncapi-supply-chain-compromise-via-github-actions
tags:
- attack.credential_access
- attack.t1552.001
- attack.supply_chain
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: 'node'
Image|endswith: 'bash'
CommandLine|contains: 'echo'
filter_legit:
CommandLine|contains:
- 'step summary'
- 'workflow command'
condition: selection and not filter_legit
falsepositives:
- Legitimate debugging in CI/CD pipelines
level: high
---
title: Miasma Infostealer NPM Package Execution
description: Detects execution of node processes originating from specific malicious npm package hashes or suspicious directory structures associated with the AsyncAPI compromise.
author: Security Arsenal Research
date: 2026/07/14
status: experimental
tags:
- attack.execution
- attack.t1204
- attack.initial_access
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: 'node.exe'
ParentImage|contains: 'npm'
condition: selection
falsepositives:
- Standard npm package executions
level: medium
---
title: Suspicious Obfuscated JavaScript in Webhook Payloads
description: Identifies potential injection of obfuscated JavaScript in webhook or workflow trigger logs, indicative of supply chain manipulation.
author: Security Arsenal Research
date: 2026/07/14
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.initial_access
logsource:
product: azure
service: activitylogs
detection:
selection:
OperationNameValue: 'microsoft.web/sites/functions/trigger'
keywords:
Channel|contains: 'github'
obfuscation:
Properties|contains|re: '(\\x[0-9a-f]{2}|\\u[0-9a-f]{4})'
condition: selection and keywords and obfuscation
falsepositives:
- Minified code in legitimate deployments
level: high
KQL (Microsoft Sentinel)
// Hunt for specific IOCs (SHA1 Hashes) in file creation events
let IOCs = pack_array(
"22bf76fe317ea6769bd38619bd440e42d119bd6b",
"9890950adcbc2478e7a080234f053214adbad44e",
"a7e18d96efd3cdb127ef4cdcad9e3ad26c482bf2",
"c70e105e212ff3c1daa04bb2a62507717f296b0b",
"c8cb3f6d5b90c46686d2bf531dc1a5786e27edc5"
);
DeviceFileEvents
| where SHA1 in (IOCs)
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, InitiatingProcessFileName
| extend FileHash = SHA1
;
// Hunt for suspicious node processes making network connections (Potential C2)
DeviceNetworkEvents
| where InitiatingProcessFileName == "node.exe"
| where InitiatingProcessParentFileName contains "npm"
| where RemotePort in (80, 443, 8080)
| summarize count() by DeviceName, RemoteUrl, InitiatingProcessCommandLine
| order by count_ desc
PowerShell Hunt Script
<#
.SYNOPSIS
Hunt script for Miasma Infostealer IOCs associated with the AsyncAPI compromise.
.DESCRIPTION
Scans common NPM cache and node_modules directories for the specific SHA1 hashes related to the Miasma campaign.
#>
$MaliciousHashes = @(
"22bf76fe317ea6769bd38619bd440e42d119bd6b",
"9890950adcbc2478e7a080234f053214adbad44e",
"a7e18d96efd3cdb127ef4cdcad9e3ad26c482bf2",
"c70e105e212ff3c1daa04bb2a62507717f296b0b",
"c8cb3f6d5b90c46686d2bf531dc1a5786e27edc5"
)
# Define scan paths (User profiles and global npm cache)
$ScanPaths = @(
"$env:APPDATA\npm-cache",
"$env:USERPROFILE\node_modules",
"C:\Program Files\nodejs\node_modules"
)
Write-Host "[+] Starting hunt for Miasma IOCs..." -ForegroundColor Cyan
foreach ($Path in $ScanPaths) {
if (Test-Path $Path) {
Write-Host "[+] Scanning: $Path" -ForegroundColor Yellow
Get-ChildItem -Path $Path -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {
$Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA1 -ErrorAction SilentlyContinue).Hash
if ($MaliciousHashes -contains $Hash) {
Write-Host "[!] ALERT: Malicious file detected: $($_.FullName)" -ForegroundColor Red
Write-Host " - Hash: $Hash" -ForegroundColor Red
}
}
}
}
Write-Host "[+] Hunt complete." -ForegroundColor Green
Response Priorities
-
Immediate:
- Block IOCs: Push the provided SHA1 hashes to all EDR and firewall blocklists immediately.
- Quarantine: Isolate any workstations or build servers where these file hashes have been detected.
- Revoke Credentials: Assume any PATs or secrets associated with the
AsyncAPIproject or similar bots in your environment are compromised. Rotate them immediately.
-
24 Hours:
- Supply Chain Audit: Audit all npm packages currently used in CI/CD pipelines. Verify package integrity and check for typosquatting.
- Identity Verification: If credential theft is suspected, enforce MFA resets and review Azure AD / Okta logs for anomalous access from developer accounts.
-
1 Week:
- CI/CD Hardening: Review GitHub Actions configurations. Disable workflows triggered by fork PRs if not strictly necessary. Implement strict environment variable protection (e.g.,
GITHUB_TOKENwrite permissions). - Dependency Pinning: Enforce strict versioning for
package-lock.andyarn.lockfiles to prevent unintended updates.
- CI/CD Hardening: Review GitHub Actions configurations. Disable workflows triggered by fork PRs if not strictly necessary. Implement strict environment variable protection (e.g.,
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.