node-gyp npm Supply Chain Compromise (June 2026)

2026-06-01

Wave 1: Attacker uses a compromised Red Hat employee GitHub account to inject malicious preinstall hooks into 32+ packages (96 versions) across the @redhat-cloud-services npm namespace; Wiz Research identifies the compromise; most malicious versions revoked by 14:00 UTC.

2026-06-03

Wave 2 begins at 23:30 UTC: four malicious versions of @vapi-ai/server-sdk published using the Phantom Gyp (binding.gyp) technique; within under two hours, 50+ additional packages in the jagreehal maintainer account and related families are compromised — 57 packages and 286+ malicious versions in total.

2026-06-04

StepSecurity publishes initial disclosure naming the technique 'Phantom Gyp' and the campaign 'Miasma'; JFrog publishes analysis tying it to the Shai-Hulud worm lineage; malicious Wave 2 package versions begin to be delisted from the npm registry.

2026-06-05

Snyk, ReversingLabs, Corgea, Chainguard, and Wiz publish independent technical analyses; Cybersecurity Dive reports on the Red Hat connection; Red Hat confirms no official products were impacted.

2026-06-06

JFrog identifies a 'Hades' variant of the campaign extending propagation to PyPI (.pth loader injection), RubyGems (extconf.rb injection), and JFrog Artifactory, and introducing AI assistant prompt injection via jailbreak prompts in Cursor, Copilot, and Claude rule files.

2026-06-13

npm announces v12 security overhaul that will block install scripts (including binding.gyp-triggered node-gyp invocations) by default, with a July 2026 migration deadline for CI environments.