CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 05, 2026

binding.gyp Supply Chain Attack Compromises Dozens of npm Packages Across Maintainer Accounts

Cybersecurity News Archived Jun 05, 2026 ✓ Full text saved

A self-replicating worm has been quietly spreading across the npm registry using a method most security teams do not watch for. Instead of hiding inside package.json scripts, the attacker weaponized a tiny configuration file called binding.gyp to trigger malicious code the moment a developer runs npm install. The campaign hit dozens of packages across multiple […] The post binding.gyp Supply Chain Attack Compromises Dozens of npm Packages Across Maintainer Accounts appeared first on Cyber Securi

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more Disk Digital security consulting Incident response services HomeCyber Security News binding.gyp Supply Chain Attack Compromises Dozens of npm Packages Across Maintainer Accounts By Tushar Subhra Dutta June 4, 2026 A self-replicating worm has been quietly spreading across the npm registry using a method most security teams do not watch for. Instead of hiding inside package.json scripts, the attacker weaponized a tiny configuration file called binding.gyp to trigger malicious code the moment a developer runs npm install. The campaign hit dozens of packages across multiple maintainer accounts in a rolling wave that lasted less than two hours, making it a fast and highly efficient supply chain strike. The attack compromised 57 npm packages across more than 286 malicious versions on June 3, 2026. The largest target was @vapi-ai/server-sdk, the official Vapi.ai voice AI server SDK with over 408,000 monthly downloads, struck first at 23:30 UTC on that day. Within an hour, more than 50 additional packages belonging to the maintainer jagreehal were also poisoned, including ai-sdk-ollama, which counts more than 120,000 monthly downloads. Researchers at StepSecurity identified and analyzed the full attack chain, naming the technique “Phantom Gyp.” StepSecurity report, shared with Cyber Security News (CSN), explains how the attacker exploited a 157-byte binding.gyp file to trigger code execution during installation, completely sidestepping the preinstall and postinstall lifecycle checks that most security scanners are built to catch. The payload is a new variant of the Miasma worm, a self-spreading supply chain malware family that had already hit 32 packages under the @redhat-cloud-services npm namespace just two days earlier. The attacker left a taunt in 195 GitHub repository descriptions, a reversed string that decodes to “Shai-Hulud: Here We Go Again,” a direct reference to StepSecurity’s prior Red Hat analysis. This attack is not random; it is calculated and persistent. binding.gyp Supply Chain Attack The binding.gyp method works because npm automatically runs node-gyp rebuild when it spots that file, treating it as a signal the package contains native C or C++ code. The attacker embedded a shell command using gyp’s own command substitution syntax, silently launching a malicious payload while returning a fake source filename so the build shows no errors. Tools that only scan package.json for install scripts see nothing suspicious at all. Four-Stage Payload (Source – StepSecurity) The malicious root index.js weighs 4.5 MB while the legitimate package entry point is only 27 KB, a size gap that should raise immediate suspicion. The payload is buried under four layers of obfuscation including a ROT cipher, AES-128-GCM encryption, and a runtime-switching trick that downloads the Bun JavaScript runtime in under one second to execute the final stage outside of Node.js. This clever move specifically evades security tooling that only monitors Node.js process activity. Credential Theft, Worm Propagation, and AI Backdoors Once active, the malware operates as a comprehensive credential harvester purpose-built for CI/CD environments, targeting AWS keys, GCP credentials, Azure tokens, HashiCorp Vault tokens, GitHub Actions secrets, and 1Password vaults. It scrapes GitHub Actions runner memory directly to pull masked secrets out in unmasked form, the same technique observed in the TanStack compromise from May 2026. Stolen credentials are encrypted and uploaded to programmatically created repositories under the attacker-controlled GitHub account liuende501. Multi-Cloud Credential Theft (Source – StepSecurity) The worm does not stop at stealing credentials. It uses stolen npm tokens to enumerate every package a compromised maintainer owns, inject the binding.gyp payload into each one, and republish with forged SLSA provenance and Sigstore signing. This makes reinfected packages appear fully legitimate even to tools specifically designed to verify supply chain integrity. The malware also injects backdoor configuration files into AI coding assistants like Claude Code, Cursor, and Gemini, so every AI-assisted suggestion inside a poisoned project could be quietly influenced by the attacker. StepSecurity advises teams to immediately audit repositories and CI pipelines for any affected packages, treating all credentials from compromised environments as stolen and rotating them right away. Teams should also look for injected AI assistant files such as .claude/setup.mjs, .cursor/rules/setup.mdc, and .vscode/setup.mjs in their project repositories. Blocking outbound network access to github.com/liuende501 and the Bun download endpoint is strongly recommended as an immediate containment measure. Indicators of Compromise (IoCs):- Type Indicator Description GitHub Account github.com/liuende501 Attacker-controlled exfiltration account hosting 236 programmatically created repositories URL https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-linux-x64-baseline.zip Bun runtime download URL used during payload execution C2 Keyword thebeautifulmarchoftime GitHub commit search keyword used as C2 beacon to verify channel is active C2 Keyword IfYouInvalidateThisTokenItWillNukeTheComputer GitHub commit search keyword used to validate stolen token is not revoked Fake User-Agent python-requests/2.31.0 User-Agent string used by malware despite running inside Bun runtime Exfil Path Pattern repos/liuende501/{repo}/contents/results/results-{timestamp}.json Pattern used to store encrypted stolen credentials in exfiltration repos File Hash (SHA256) 288f26c2eadcb1a7923fe376d16f5404216cc… Package tarball (.tgz) from executable-stories-demo@0.1.11 File Hash (SHA256) ef641e956f91d501b748085996303c96a64d6… binding.gyp (157 bytes) — identical across all compromised versions File Hash (SHA256) 5926b86b642e00672252953eb30d8f75cfb77… Obfuscated root index.js (4.5 MB) from executable-stories-demo@0.1.11 File Hash (SHA256) ceff7c51d70832c3ec8dd2744b606a23b3c92… Decrypted Bun loader blob (907 bytes) File Hash (SHA256) da39146ef451d1b174a24d00b1e2a45cd38d5… Decrypted main payload (668 KB) File Hash (SHA256) e3dbe63aded45278f49c4746ab938ed9472b3… index.js from @vapi-ai/server-sdk v1.2.1 (4,870,718 bytes) File Hash (SHA256) 82d83274680df928fdda296a348e01802f595… index.js from @vapi-ai/server-sdk v0.11.2 (4,496,586 bytes) Malicious File binding.gyp 157-byte install hook containing the Phantom Gyp command substitution trigger Malicious File index.js (root, 4.5 MB+) Obfuscated malware payload placed at package root, not declared as package main Temp Path Pattern /tmp/b-{random}/ Temporary directory used to stage and execute downloaded Bun runtime Temp File Pattern /tmp/p{random}.js Randomized temp path used to write and execute the final malware payload Malicious File .claude/setup.mjs AI assistant backdoor file injected into victim repositories (Claude Code) Malicious File .cursor/rules/setup.mdc AI assistant backdoor file injected into victim repositories (Cursor AI) Malicious File .gemini/settings.json AI assistant backdoor file injected into victim repositories (Google Gemini) Malicious File .vscode/setup.mjs AI assistant backdoor file injected into victim repositories (VS Code) API Endpoint https://registry.npmjs.org/-/whoami Used by worm to validate stolen npm tokens before propagation API Endpoint http://169.254.169.254/latest/api/token AWS IMDSv2 endpoint targeted for cloud credential harvesting API Endpoint http://169.254.169.254/metadata/identity Azure IMDS endpoint targeted for cloud credential harvesting Repo Description Miasma – The Spreading Blight Self-identifier found in 34 exfiltration repository descriptions Repo Description niagA oG eW ereH :duluH-iahS Reversed string (“Shai-Hulud: Here We Go Again”) found in 195 exfil repo descriptions Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Iran-Linked Hackers Destroy IT, Backups, and Recovery Systems in Cyberattack targeting Middle East Android 0-Day Vulnerability Exploited in Attacks to Gain Complete Device Control Anthropic Expands Project Glasswing Claude Mythos Preview to 150 New Organizations 1-Click GitHub Token Vulnerability Lets Attackers Steal Users’ OAuth Tokens Palo Alto Networks PAN-OS Authentication Vulnerability Bypass Exploited in the Wild Latest News Cyber Security News Hackers Use Malicious Ads to Deliver FlutterShell Backdoor on macOS Systems Cyber Security News Hackers Use Fake Claude Code Install Page to Deliver Fileless .NET Infostealer Cyber Security News IronWorm Supply Chain Attack Uses Malicious npm Packages to Steal Developer Secrets Cyber Security News Stock Exchange Executive’s Outlook Account Targeted to Exfiltrate Credentials Cyber Security News CISA Warns of critical Magento Cache Warmer RCE flaw Exploited in Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 05, 2026
    Archived
    Jun 05, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗