AsyncAPI Miasma RAT via CI/CD compromise
How greenflagged detected the Miasma RAT in @asyncapi
Another day, another NPM supply chain attack
On July 14, 2026 an attacker stole a privileged personal access token. The attacker shipped five package versions that contained malicious code to the NPM registry.
Wiz has a great write-up on the attack details here. StepSecurity also has an excellent write-up here. Make sure to visit those write-ups if you’re interested in the details of the attack.
How Greenflagged detected the attack
Greenflagged is a new kind of package registry. It is a mirror that sits between NPM and you. Every package that you request from Greenflagged gets run through a scanning pipeline to determine whether it is safe to use or not. Depending on the results of the scanning pipeline, a tiered AI reviewer looks at the suspicious code and determines whether it is safe. The result of this scanning pipeline is that Greenflagged package registry never served the compromised versions. And not because there was a “bake period” but because we determined that package to be dangerous:
- https://greenflagged.dev/packages/@asyncapi/generator/v/3.3.1
- https://greenflagged.dev/packages/@asyncapi/generator-components/v/0.7.1
- https://greenflagged.dev/packages/@asyncapi/specs/v/6.11.2
- https://greenflagged.dev/packages/@asyncapi/specs/v/6.11.2-alpha.1
- https://greenflagged.dev/packages/@asyncapi/generator-helpers/v/1.1.1