AsyncAPI Compromise Reported C2 Endpoints
Hunts network connection telemetry for the historical IP address and ports reported for the Miasma runtime delivered through compromised AsyncAPI packages. Validate connection time, current ownership, initiating process, and local package exposure before escalation.
Sigma source
Raw YAMLtitle: AsyncAPI Compromise Reported C2 Endpoints
id: 5a474d8b-bc48-4b54-8269-48463d216681
status: experimental
author: FRAME ZERO
date: 2026-07-16
description: Hunts network connection telemetry for the historical IP address and ports reported for the Miasma runtime delivered through compromised AsyncAPI packages. Validate connection time, current ownership, initiating process, and local package exposure before escalation.
references:
- https://www.microsoft.com/en-us/security/blog/2026/07/15/unpacking-asyncapi-npm-supply-chain-compromise-import-time-payload-delivery/
logsource:
category: network_connection
detection:
selection:
DestinationIp: '85.137.53.71'
DestinationPort:
- 8080
- 8081
- 8091
condition: selection
falsepositives:
- Reassigned or shared infrastructure after the reporting period
- Authorized security testing that replays the historical indicator
- Telemetry normalization that records a proxy or gateway address instead of the final destination
level: high
tags:
- attack.command-and-control
- attack.t1071