binding.gyp Supply Chain Attack Compromises Dozens of npm Packages Across Maintainer Accounts

A self-replicating worm has been quietly spreading across the npm registry using a method most security teams do not watch for. Instead of hiding inside package.json scripts, the attacker weaponized a tiny configuration file called binding.gyp to trigger malicious code the moment a developer runs npm install.

The campaign hit dozens of packages across multiple maintainer accounts in a rolling wave that lasted less than two hours, making it a fast and highly efficient supply chain strike.

The attack compromised 57 npm packages across more than 286 malicious versions on June 3, 2026. The largest target was @vapi-ai/server-sdk, the official Vapi.ai voice AI server SDK with over 408,000 monthly downloads, struck first at 23:30 UTC on that day.

Within an hour, more than 50 additional packages belonging to the maintainer jagreehal were also poisoned, including ai-sdk-ollama, which counts more than 120,000 monthly downloads.

Researchers at StepSecurity identified and analyzed the full attack chain, naming the technique “Phantom Gyp.”

StepSecurity report, shared with Cyber Security News (CSN), explains how the attacker exploited a 157-byte binding.gyp file to trigger code execution during installation, completely sidestepping the preinstall and postinstall lifecycle checks that most security scanners are built to catch.

The payload is a new variant of the Miasma worm, a self-spreading supply chain malware family that had already hit 32 packages under the @redhat-cloud-services npm namespace just two days earlier.

The attacker left a taunt in 195 GitHub repository descriptions, a reversed string that decodes to “Shai-Hulud: Here We Go Again,” a direct reference to StepSecurity’s prior Red Hat analysis. This attack is not random; it is calculated and persistent.

binding.gyp Supply Chain Attack

The binding.gyp method works because npm automatically runs node-gyp rebuild when it spots that file, treating it as a signal the package contains native C or C++ code.

The attacker embedded a shell command using gyp’s own command substitution syntax, silently launching a malicious payload while returning a fake source filename so the build shows no errors. Tools that only scan package.json for install scripts see nothing suspicious at all.

The malicious root index.js weighs 4.5 MB while the legitimate package entry point is only 27 KB, a size gap that should raise immediate suspicion.

The payload is buried under four layers of obfuscation including a ROT cipher, AES-128-GCM encryption, and a runtime-switching trick that downloads the Bun JavaScript runtime in under one second to execute the final stage outside of Node.js.

This clever move specifically evades security tooling that only monitors Node.js process activity.

Credential Theft, Worm Propagation, and AI Backdoors

Once active, the malware operates as a comprehensive credential harvester purpose-built for CI/CD environments, targeting AWS keys, GCP credentials, Azure tokens, HashiCorp Vault tokens, GitHub Actions secrets, and 1Password vaults.

It scrapes GitHub Actions runner memory directly to pull masked secrets out in unmasked form, the same technique observed in the TanStack compromise from May 2026. Stolen credentials are encrypted and uploaded to programmatically created repositories under the attacker-controlled GitHub account liuende501.

The worm does not stop at stealing credentials. It uses stolen npm tokens to enumerate every package a compromised maintainer owns, inject the binding.gyp payload into each one, and republish with forged SLSA provenance and Sigstore signing.

This makes reinfected packages appear fully legitimate even to tools specifically designed to verify supply chain integrity.

The malware also injects backdoor configuration files into AI coding assistants like Claude Code, Cursor, and Gemini, so every AI-assisted suggestion inside a poisoned project could be quietly influenced by the attacker.

StepSecurity advises teams to immediately audit repositories and CI pipelines for any affected packages, treating all credentials from compromised environments as stolen and rotating them right away.

Teams should also look for injected AI assistant files such as .claude/setup.mjs, .cursor/rules/setup.mdc, and .vscode/setup.mjs in their project repositories.

Blocking outbound network access to github.com/liuende501 and the Bun download endpoint is strongly recommended as an immediate containment measure.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
GitHub Account	github.com/liuende501	Attacker-controlled exfiltration account hosting 236 programmatically created repositories
URL	https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-linux-x64-baseline.zip	Bun runtime download URL used during payload execution
C2 Keyword	thebeautifulmarchoftime	GitHub commit search keyword used as C2 beacon to verify channel is active
C2 Keyword	IfYouInvalidateThisTokenItWillNukeTheComputer	GitHub commit search keyword used to validate stolen token is not revoked
Fake User-Agent	python-requests/2.31.0	User-Agent string used by malware despite running inside Bun runtime
Exfil Path Pattern	repos/liuende501/{repo}/contents/results/results-{timestamp}.json	Pattern used to store encrypted stolen credentials in exfiltration repos
File Hash (SHA256)	288f26c2eadcb1a7923fe376d16f5404216cc…	Package tarball (.tgz) from [email protected]
File Hash (SHA256)	ef641e956f91d501b748085996303c96a64d6…	binding.gyp (157 bytes) — identical across all compromised versions
File Hash (SHA256)	5926b86b642e00672252953eb30d8f75cfb77…	Obfuscated root index.js (4.5 MB) from [email protected]
File Hash (SHA256)	ceff7c51d70832c3ec8dd2744b606a23b3c92…	Decrypted Bun loader blob (907 bytes)
File Hash (SHA256)	da39146ef451d1b174a24d00b1e2a45cd38d5…	Decrypted main payload (668 KB)
File Hash (SHA256)	e3dbe63aded45278f49c4746ab938ed9472b3…	index.js from @vapi-ai/server-sdk v1.2.1 (4,870,718 bytes)
File Hash (SHA256)	82d83274680df928fdda296a348e01802f595…	index.js from @vapi-ai/server-sdk v0.11.2 (4,496,586 bytes)
Malicious File	binding.gyp	157-byte install hook containing the Phantom Gyp command substitution trigger
Malicious File	index.js (root, 4.5 MB+)	Obfuscated malware payload placed at package root, not declared as package main
Temp Path Pattern	/tmp/b-{random}/	Temporary directory used to stage and execute downloaded Bun runtime
Temp File Pattern	/tmp/p{random}.js	Randomized temp path used to write and execute the final malware payload
Malicious File	.claude/setup.mjs	AI assistant backdoor file injected into victim repositories (Claude Code)
Malicious File	.cursor/rules/setup.mdc	AI assistant backdoor file injected into victim repositories (Cursor AI)
Malicious File	.gemini/settings.json	AI assistant backdoor file injected into victim repositories (Google Gemini)
Malicious File	.vscode/setup.mjs	AI assistant backdoor file injected into victim repositories (VS Code)
API Endpoint	https://registry.npmjs.org/-/whoami	Used by worm to validate stolen npm tokens before propagation
API Endpoint	http://169.254.169.254/latest/api/token	AWS IMDSv2 endpoint targeted for cloud credential harvesting
API Endpoint	http://169.254.169.254/metadata/identity	Azure IMDS endpoint targeted for cloud credential harvesting
Repo Description	Miasma – The Spreading Blight	Self-identifier found in 34 exfiltration repository descriptions
Repo Description	niagA oG eW ereH :duluH-iahS	Reversed string (“Shai-Hulud: Here We Go Again”) found in 195 exfil repo descriptions

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.