npm Supply Chain Attacks: Miasma RAT & CI/CD Pipeline Exploits
A Unit 42 report details the evolution of npm supply chain attacks since the Shai-Hulud worm in 2025. It describes recent 2026 campaigns by the threat actor TeamPCP and the deployment of a new Miasma RAT variant. A significant attack on July 14, 2026, compromised AsyncAPI's GitHub repositories by exploiting unprotected pre-production branches in its CI/CD pipeline. This allowed attackers to bypass code reviews, steal credentials like NPM_TOKEN, and publish trojanized packages. The Miasma payload uses a multi-stage, obfuscated process, fetches a second stage from IPFS, and establishes persistence on compromised developer systems. The analysis highlights a strategic shift towards more sophisticated, systematic campaigns targeting software development lifecycles.