AsyncAPI Miasma RAT via CI/CD compromise

How greenflagged detected the Miasma RAT in @asyncapi

Another day, another NPM supply chain attack

On July 14, 2026 an attacker stole a privileged personal access token. The attacker shipped five package versions that contained malicious code to the NPM registry.

Wiz has a great write-up on the attack details here. StepSecurity also has an excellent write-up here. Make sure to visit those write-ups if you’re interested in the details of the attack.

How Greenflagged detected the attack

Greenflagged is a new kind of package registry. It is a mirror that sits between NPM and you. Every package that you request from Greenflagged gets run through a scanning pipeline to determine whether it is safe to use or not. Depending on the results of the scanning pipeline, a tiered AI reviewer looks at the suspicious code and determines whether it is safe. The result of this scanning pipeline is that Greenflagged package registry never served the compromised versions. And not because there was a “bake period” but because we determined that package to be dangerous: