A recent cyberattack has compromised numerous npm packages through an unusual vector, highlighting vulnerabilities in supply chain security. The breach utilized the binding.gyp configuration file to initiate malicious activities immediately upon the execution of npm install, bypassing common security checks.
Details of the Attack
The operation affected dozens of packages across various maintainer accounts, executing swiftly in under two hours. On June 3, 2026, a total of 57 npm packages were compromised, affecting over 286 versions. The primary target was the @vapi-ai/server-sdk, a widely used AI server SDK, first compromised at 23:30 UTC.
Following this, more than 50 packages associated with the maintainer jagreehal, including ai-sdk-ollama, were also targeted. This attack underlines the efficiency and speed with which such breaches can occur.
Technical Analysis and Impact
StepSecurity researchers have identified the attack technique as ‘Phantom Gyp,’ which leverages a 157-byte binding.gyp file to trigger code execution. This approach circumvents typical checks that focus on preinstall and postinstall scripts, leaving many security scanners ineffective.
The payload, a variant of the Miasma worm, previously compromised 32 packages under the @redhat-cloud-services namespace. The attacker’s taunting messages in numerous GitHub repositories indicate a calculated and persistent approach.
Consequences and Recommendations
The malware is designed to operate as a credential harvester, targeting cloud service credentials and CI/CD environments. It uses stolen credentials to propagate further, injecting malicious payloads into additional packages, thereby maintaining a facade of legitimacy.
Developers are urged to audit repositories and CI pipelines for any signs of compromise and treat all credentials from affected environments as compromised. Immediate rotation of these credentials is recommended, along with blocking access to the attacker’s GitHub account and associated download endpoints.
For comprehensive protection, teams should also search for any injected files that might influence AI coding assistants, ensuring the removal of any backdoor access points.
The binding.gyp supply chain attack serves as a critical reminder of the need for enhanced vigilance and robust security measures within software development ecosystems.
