binding.gyp Attack Compromises Dozens of npm Supply Chain
A self-replicating worm has been quietly spreading across the npm registry, utilizing an attack vector many security teams might not typically monitor. Instead of concealing malicious scripts within...
A self-replicating worm has been quietly spreading across the npm registry, utilizing an attack vector many security teams might not typically monitor. Instead of concealing malicious scripts within `package.json` files, the attacker weaponized a tiny configuration file called `binding.gyp`. This tactic enabled the malicious code to trigger instantly when a developer executes `npm install`.
The campaign hit dozens of packages across multiple maintainer accounts in a rolling wave that lasted less than two hours, making it a fast and highly efficient supply chain strike.
The attack compromised 57 npm packages across more than 286 malicious versions on June 3, 2026. The largest target was @vapi-ai/server-sdk, the official Vapi.ai voice AI server SDK with over 408,000 monthly downloads, struck first at 23:30 UTC on that day.
Within an hour, more than 50 additional packages belonging to the maintainer jagreehal were also poisoned, including ai-sdk-ollama, which counts more than 120,000 monthly downloads.
Researchers at StepSecurity identified and analyzed the full attack chain, naming the technique “Phantom Gyp.”
StepSecurity report, shared with Cyber Security News (CSN), explains how the attacker exploited a 157-byte binding.gyp file to trigger code execution during installation, completely sidestepping the preinstall and postinstall lifecycle checks that most security scanners are built to catch.
The payload is a new variant of the Miasma worm, a self-spreading supply chain malware family that had already hit 32 packages under the @redhat-cloud-services npm namespace just two days earlier.
The attacker left a taunt in 195 GitHub repository descriptions, a reversed string that decodes to “Shai-Hulud: Here We Go Again,” a direct reference to StepSecurity’s prior Red Hat analysis. This attack is not random; it is calculated and persistent.
binding.gyp Supply Chain Attack
The binding.gyp method works because npm automatically runs node-gyp rebuild when it spots that file, treating it as a signal the package contains native C or C++ code.
The attacker embedded a shell command using gyp’s own command substitution syntax, silently launching a malicious payload while returning a fake source filename so the build shows no errors. Tools that only scan package.json for install scripts see nothing suspicious at all.
The malicious root index.js weighs 4.5 MB while the legitimate package entry point is only 27 KB, a size gap that should raise immediate suspicion.
The payload is buried under four layers of obfuscation including a ROT cipher, AES-128-GCM encryption, and a runtime-switching trick that downloads the Bun JavaScript runtime in under one second to execute the final stage outside of Node.js.
This clever move specifically evades security tooling that only monitors Node.js process activity.
Credential Theft, Worm Propagation, and AI Backdoors
Once active, the malware operates as a comprehensive credential harvester purpose-built for CI/CD environments, targeting AWS keys, GCP credentials, Azure tokens, HashiCorp Vault tokens, GitHub Actions secrets, and 1Password vaults.
It scrapes GitHub Actions runner memory directly to pull masked secrets out in unmasked form, the same technique observed in the TanStack compromise from May 2026. Stolen credentials are encrypted and uploaded to programmatically created repositories under the attacker-controlled GitHub account liuende501.
The worm does not stop at stealing credentials. It uses stolen npm tokens to enumerate every package a compromised maintainer owns, inject the binding.gyp payload into each one, and republish with forged SLSA provenance and Sigstore signing.
This makes reinfected packages appear fully legitimate even to tools specifically designed to verify supply chain integrity.
The malware also injects backdoor configuration files into AI coding assistants like Claude Code, Cursor, and Gemini, so every AI-assisted suggestion inside a poisoned project could be quietly influenced by the attacker.
StepSecurity advises teams to immediately audit repositories and CI pipelines for any affected packages, treating all credentials from compromised environments as stolen and rotating them right away.
Teams should also look for injected AI assistant files such as .claude/setup.mjs, .cursor/rules/setup.mdc, and .vscode/setup.mjs in their project repositories.
Blocking outbound network access to github.com/liuende501 and the Bun download endpoint is strongly recommended as an immediate containment measure.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| GitHub Account | github.com/liuende501 | Attacker-controlled exfiltration account hosting 236 programmatically created repositories |
| URL | https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-linux-x64-baseline.zip | Bun runtime download URL used during payload execution |
| C2 Keyword | thebeautifulmarchoftime | GitHub commit search keyword used as C2 beacon to verify channel is active |
| C2 Keyword | IfYouInvalidateThisTokenItWillNukeTheComputer | GitHub commit search keyword used to validate stolen token is not revoked |
| Fake User-Agent | python-requests/2.31.0 | User-Agent string used by malware despite running inside Bun runtime |
| Exfil Path Pattern | repos/liuende501/{repo}/contents/results/results-{timestamp}.json | Pattern used to store encrypted stolen credentials in exfiltration repos |
| File Hash (SHA256) | 288f26c2eadcb1a7923fe376d16f5404216cc… | Package tarball (.tgz) from [email protected] |
| File Hash (SHA256) | ef641e956f91d501b748085996303c96a64d6… | binding.gyp (157 bytes) — identical across all compromised versions |
| File Hash (SHA256) | 5926b86b642e00672252953eb30d8f75cfb77… | Obfuscated root index.js (4.5 MB) from [email protected] |
| File Hash (SHA256) | ceff7c51d70832c3ec8dd2744b606a23b3c92… | Decrypted Bun loader blob (907 bytes) |
| File Hash (SHA256) | da39146ef451d1b174a24d00b1e2a45cd38d5… | Decrypted main payload (668 KB) |
| File Hash (SHA256) | e3dbe63aded45278f49c4746ab938ed9472b3… | index.js from @vapi-ai/server-sdk v1.2.1 (4,870,718 bytes) |
| File Hash (SHA256) | 82d83274680df928fdda296a348e01802f595… | index.js from @vapi-ai/server-sdk v0.11.2 (4,496,586 bytes) |
| Malicious File | binding.gyp | 157-byte install hook containing the Phantom Gyp command substitution trigger |
| Malicious File | index.js (root, 4.5 MB+) | Obfuscated malware payload placed at package root, not declared as package main |
| Temp Path Pattern | /tmp/b-{random}/ | Temporary directory used to stage and execute downloaded Bun runtime |
| Temp File Pattern | /tmp/p{random}.js | Randomized temp path used to write and execute the final malware payload |
| Malicious File | .claude/setup.mjs | AI assistant backdoor file injected into victim repositories (Claude Code) |
| Malicious File | .cursor/rules/setup.mdc | AI assistant backdoor file injected into victim repositories (Cursor AI) |
| Malicious File | .gemini/settings.json | AI assistant backdoor file injected into victim repositories (Google Gemini) |
| Malicious File | .vscode/setup.mjs | AI assistant backdoor file injected into victim repositories (VS Code) |
| API Endpoint | https://registry.npmjs.org/-/whoami | Used by worm to validate stolen npm tokens before propagation |
| API Endpoint | http://169.254.169.254/latest/api/token | AWS IMDSv2 endpoint targeted for cloud credential harvesting |
| API Endpoint | http://169.254.169.254/metadata/identity | Azure IMDS endpoint targeted for cloud credential harvesting |
| Repo Description | Miasma – The Spreading Blight | Self-identifier found in 34 exfiltration repository descriptions |
| Repo Description | niagA oG eW ereH :duluH-iahS | Reversed string (“Shai-Hulud: Here We Go Again”) found in 195 exfil repo descriptions |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.