Audit log

Every state-changing event for node-gyp npm Supply Chain Compromise (June 2026): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-19 12:17:11Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 427,504,237

   sig

   4e6zEujS81sS…Gg1XMqY3copyexplorer ↗

   hash

   DFiJAFufKBUo…ZuY37xbgcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (28497 B) ▸

   {"actor":"system:backfill","investigation_id":"10622728-729b-44eb-90d4-6ea9f25dae1a","kind":"publish","page_slug":"node-gyp-npm-supply-chain-compromise-june-2026","published_at":"2026-06-19T12:17:11.387Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"node-gyp npm Supply Chain Compromise (June 2026)","sections":[{"content":"The Miasma campaign unfolded in two distinct waves in early June 2026. The first wave on June 1, 2026 compromised 32 packages under the official @redhat-cloud-services npm namespace via a hijacked Red Hat employee GitHub account, which injected malicious OIDC token-requesting workflows and published packages bearing valid SLSA v1 provenance attestations. Wiz Research identified this wave and reported that most malicious versions were revoked by 14:00 UTC that day, with a second sub-wave discovered on June 4. The second and larger wave began at approximately 23:30 UTC on June 3, when four malicious versions of @vapi-ai/server-sdk — the official Vapi.ai voice AI server SDK with more than 408,000 monthly downloads — were published. Within under two hours, 50+ additional packages belonging to maintainer jagreehal (including ai-sdk-ollama with 120,000+ monthly downloads) and several other package families were poisoned, resulting in 286+ total malicious versions across 57 packages. Security firm StepSecurity named the install-time technique 'Phantom Gyp' and tracks the broader campaign as 'Miasma,' which it characterizes as a descendant of the Shai-Hulud worm family active since at least September 2025 — this event constituting the eighth distinct attack in that lineage.","heading":"Event Overview","severity":"critical","sources":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"Node-gyp Supply Chain Compromise — Snyk","type":"research","url":"https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting RedHat npm Packages — Wiz Blog","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"credibility":2,"name":"Shai-Hulud — Miasma: The Spreading Blight Hits Red Hat npm Packages — JFrog Security Research","type":"research","url":"https://research.jfrog.com/post/shai-hulud-miasma-redhat-cloud-services/"}]},{"content":"Rather than using the preinstall or postinstall lifecycle hooks in package.json — which are commonly monitored by security tooling — the attacker weaponized binding.gyp, a native build configuration file consumed by node-gyp during npm install. The malicious binding.gyp file (157 bytes) exploited GYP's shell command expansion syntax: the 'sources' field entry '<!(node index.js > /dev/null 2>&1 && echo stub.c)' causes node-gyp to execute the attacker's index.js before the build phase completes. A 'type: none' target ensured no native compilation was actually needed, meaning the shell expansion was the sole purpose of the file. Because most application security tooling inspects package.json scripts and not binding.gyp, this technique bypassed widely deployed defenses. The malicious payload resided in a root-level index.js file of approximately 4.5 MB — significantly larger than typical package entry points — that was never imported by normal application code.","heading":"Phantom Gyp Attack Technique","severity":"critical","sources":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"How 56 npm packages used binding.gyp to steal CI/CD secrets — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/npm-bindinggyp-cicd-secrets"},{"credibility":2,"name":"Phantom Gyp Miasma hit Vapi, ai-sdk-ollama, and 55 more npm packages — Corgea","type":"research","url":"https://corgea.com/research/miasma-phantom-gyp-npm-worm-vapi-ai-sdk-ollama-june-2026"}]},{"content":"The malicious index.js employed a four-stage decryption and execution chain designed to resist static analysis. Stage 1 decoded approximately 1.3–1.4 million character codes via a ROT-N Caesar cipher (with rotation values varying between ROT-9 and ROT-20 across samples) wrapped in an eval() call. Stage 2 applied AES-128-GCM decryption using embedded keys and initialization vectors. Stage 3 downloaded a standalone Bun v1.3.13 runtime binary from GitHub releases and executed subsequent code outside the Node.js process, evading Node.js-scoped process monitoring. Stage 4 ran a 668 KB obfuscated main payload with a 2,306-entry encrypted string table containing credential harvesting logic and worm propagation routines. Runtime analysis by StepSecurity's Harden-Runner traced the full kill chain over 17.6 seconds: node-gyp rebuild triggered at T+2.1s, Bun downloaded and extracted in under one second at T+3.9s, credential theft via 'gh auth token' at T+8.3s, privileged memory scraping via 'sudo python3' at T+8.5s, and exfiltration API calls beginning at T+13.4s. Unique AES keys per package family further complicated hash-based detection across victims.","heading":"Payload Architecture and Obfuscation","severity":"critical","sources":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"How 56 npm packages used binding.gyp to steal CI/CD secrets — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/npm-bindinggyp-cicd-secrets"},{"credibility":2,"name":"Node-gyp Supply Chain Compromise — Snyk","type":"research","url":"https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"}]},{"content":"The decoded payload revealed comprehensive multi-environment credential targeting. Cloud provider credentials swept include: AWS access keys, session tokens, and IMDSv2 metadata (169.254.169.254); GCP service account keys and application default credentials; and Azure service principal secrets, managed identity tokens, and IMDS endpoint data. CI/CD systems targeted include GitHub Actions (ACTIONS_ID_TOKEN_REQUEST_TOKEN), GitLab CI, Travis CI, CircleCI, Jenkins, and Buildkite. The payload extracted GitHub Actions masked secrets in unmasked form by reading runner process memory directly from /proc/[PID]/mem, a technique also observed in the TanStack compromise in May 2026. Secret management systems targeted include HashiCorp Vault token files and Kubernetes service account tokens. Local developer credential stores targeted include ~/.aws/credentials, ~/.kube/config, ~/.npmrc, ~/.ssh/id_*, .env files throughout project directories, Docker configuration, RubyGems API keys, and credential databases for password managers (1Password, gopass, pass) and communication tools (Signal, Telegram, Discord, Slack). A June 6, 2026 evolution of the campaign (tracked as 'Hades') added targeting of JFrog Artifactory credentials and extended propagation to PyPI and RubyGems ecosystems. No verified source confirmed direct targeting of cryptocurrency wallet keystore files (e.g., ~/.solana or ~/.ethereum directories) in this specific campaign, though the broad sweep of local credential stores and .env files poses an indirect risk to any developer storing private keys or seed phrases in those locations.","heading":"Credential Harvesting Scope","severity":"critical","sources":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"How 56 npm packages used binding.gyp to steal CI/CD secrets — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/npm-bindinggyp-cicd-secrets"},{"credibility":2,"name":"Shai-Hulud — Miasma: The Spreading Blight Hits Red Hat npm Packages — JFrog Security Research","type":"research","url":"https://research.jfrog.com/post/shai-hulud-miasma-redhat-cloud-services/"},{"credibility":2,"name":"Phantom Gyp Miasma hit Vapi, ai-sdk-ollama, and 55 more npm packages — Corgea","type":"research","url":"https://corgea.com/research/miasma-phantom-gyp-npm-worm-vapi-ai-sdk-ollama-june-2026"}]},{"content":"The worm's propagation engine, which StepSecurity describes as making this campaign distinct from earlier supply chain attacks, operated as follows: stolen npm tokens were validated via registry.npmjs.org/-/whoami; the token was then used to enumerate all packages maintained by the compromised account; the worm downloaded each package, injected the malicious binding.gyp and obfuscated index.js, and republished using the stolen token. Critically, when GitHub Actions OIDC tokens were available, the worm requested signing certificates from Fulcio, created transparency log entries on Rekor, and generated complete SLSA v1 provenance attestations for the repackaged versions — making trojanized packages appear to have legitimate supply chain provenance to automated verification tools. The worm also injected malicious steps into GitHub Actions workflow files discovered in repositories it gained access to. The Red Hat wave demonstrated that even packages with verifiable SLSA attestations can be compromised when the signing identity itself is under attacker control. The payload also included complete templates for injecting malicious code into extconf.rb (RubyGems), Makefile.PL (Perl), and CMakeLists.txt files, indicating intent to spread beyond the npm ecosystem.","heading":"Self-Propagation Mechanism","severity":"critical","sources":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting RedHat npm Packages — Wiz Blog","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"credibility":2,"name":"Node-gyp Supply Chain Compromise — Snyk","type":"research","url":"https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"}]},{"content":"Beyond credential exfiltration, the payload established multiple persistence mechanisms. An 'update-monitor' daemon polled GitHub for commits matching the keyword 'firedalazer' and executed RSA-signed payloads from discovered URLs via eval() in the global scope. A 'gh-token-monitor' dead-man's switch monitored the validity of stolen GitHub tokens every 60 seconds with a 72-hour TTL; if a token was revoked, the payload executed 'rm -rf ~/' on the victim machine. The campaign also pioneered the injection of backdoors into AI coding assistant configuration directories: .claude/setup.mjs (Anthropic Claude Code), .cursor/rules/setup.mdc (Cursor AI), .vscode/tasks.json with runOn: folderOpen, and .gemini/ configuration files. These hooks are executed via 'bun run' rather than Node.js, aiding evasion. JFrog's analysis of the June 6 Hades variant also documented AI prompt injection targeting Cursor, GitHub Copilot, and Claude assistants via jailbreak prompts embedded in repository rule files.","heading":"Persistence and AI Coding Assistant Backdoors","severity":"critical","sources":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"Shai-Hulud — Miasma: The Spreading Blight Hits Red Hat npm Packages — JFrog Security Research","type":"research","url":"https://research.jfrog.com/post/shai-hulud-miasma-redhat-cloud-services/"},{"credibility":2,"name":"How 56 npm packages used binding.gyp to steal CI/CD secrets — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/npm-bindinggyp-cicd-secrets"}]},{"content":"Exfiltrated credentials were encrypted with RSA public keys readable only by the attacker and uploaded to programmatically created private repositories under the GitHub account liuende501, which hosted 236 repositories at time of disclosure. Repository naming followed mythologically themed patterns: 34 repositories were labeled 'Miasma - The Spreading Blight' and 195 repositories bore the reversed string 'niagA oG eW ereH :duluH-iahS' (decoding to 'Shai-Hulud: Here We Go Again'). Credential packages were stored as encrypted JSON files at paths following the pattern results/results-[timestamp].json within repositories named in an adjective-creature format (e.g., 'nemean-hydra-34343'). The payload used a 'python-requests/2.31.0' User-Agent string despite running inside the Bun runtime, likely as deliberate misdirection. The JFrog report noted the payload made exfiltration calls camouflaged to resemble 'api.anthropic.com/v1/api' traffic. No formal attribution to a known threat actor group has been published as of the investigation date. C2 beacon keywords identified in the payload include 'thebeautifulmarchoftime' and 'IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner.'","heading":"C2 Infrastructure and Attribution","severity":"high","sources":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"Shai-Hulud — Miasma: The Spreading Blight Hits Red Hat npm Packages — JFrog Security Research","type":"research","url":"https://research.jfrog.com/post/shai-hulud-miasma-redhat-cloud-services/"}]},{"content":"The Miasma campaign poses an elevated risk to cryptocurrency and blockchain development workflows. CI/CD pipelines that manage smart contract deployments, wallet signers, or validator keys commonly store AWS/GCP/Azure secrets (used to access key management services), Kubernetes service account tokens (used to access secret stores), GitHub Actions tokens (used to trigger deployment workflows), and .env files containing RPC endpoints, private keys for hot wallets, or seed phrases for testing environments. Any developer who ran npm install on an affected package version in a CI/CD environment or local development machine should treat all credentials present in that environment as compromised. The payload's sweep of .env files across the project tree is particularly relevant to crypto developers who follow common — though insecure — practices of storing wallet private keys or mnemonic phrases in environment variables. The self-propagating nature of the worm means that a single compromised maintainer account in a developer's dependency tree could have silently poisoned transitive dependencies without any action by the direct dependency maintainer. No CVE has been formally assigned to this campaign as of the investigation date; the applicable CWEs include CWE-506 (Embedded Malicious Code), CWE-494 (Download Without Integrity Check), CWE-522 (Inadequate Log Redaction), and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).","heading":"Risk to Crypto Developer Environments","severity":"critical","sources":[{"credibility":2,"name":"Node-gyp Supply Chain Compromise — Snyk","type":"research","url":"https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"},{"credibility":2,"name":"binding.gyp Supply Chain Attack Compromises Dozens of npm Packages Across Maintainer Accounts — CybersecurityNews","type":"news_article","url":"https://cybersecuritynews.com/binding-gyp-supply-chain-attack-compromises-dozens-of-npm-packages/"},{"credibility":2,"name":"Phantom Gyp Miasma hit Vapi, ai-sdk-ollama, and 55 more npm packages — Corgea","type":"research","url":"https://corgea.com/research/miasma-phantom-gyp-npm-worm-vapi-ai-sdk-ollama-june-2026"}]},{"content":"The following packages and version families were confirmed compromised across the two primary waves. Wave 1 (June 1, @redhat-cloud-services namespace, 32 packages / 96 versions): packages included @redhat-cloud-services/types, @redhat-cloud-services/frontend-components, @redhat-cloud-services/javascript-clients, @redhat-cloud-services/compliance-client, @redhat-cloud-services/rbac-client, and @redhat-cloud-services/insights-client, among others averaging ~80,000 weekly downloads. Wave 2 (June 3–4, Phantom Gyp, 57 packages / 286+ versions): @vapi-ai/server-sdk (versions 0.11.1, 0.11.2, 1.2.1, 1.2.2; 408,000+ monthly downloads); ai-sdk-ollama (versions 0.13.1, 1.1.1, 2.2.1, 3.8.5; 120,000+ monthly downloads); 24 packages in the autotel-* family (database adapters and framework integrations); 8 packages in the awaitly-* family (async database utilities); 8 packages in the eslint-plugin-executable-stories family; 5 packages in the node-env-resolver family; wrangler-deploy; and packages across the @jagreehal/* scope. Consumers of any of these packages should audit their install logs for the listed version strings and rotate all credentials present in affected environments.","heading":"Affected Packages and Versions","severity":"critical","sources":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting RedHat npm Packages — Wiz Blog","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"credibility":2,"name":"How 56 npm packages used binding.gyp to steal CI/CD secrets — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/npm-bindinggyp-cicd-secrets"},{"credibility":2,"name":"Dozens of Red Hat npm packages targeted in supply chain attack — Cybersecurity Dive","type":"news_article","url":"https://www.cybersecuritydive.com/news/dozens-red-hat-npm-packages-supply-chain-attack/821723/"}]},{"content":"npm and Red Hat revoked the malicious versions identified in Wave 1 by approximately 14:00 UTC on June 1. Red Hat confirmed that no official Red Hat products were affected. Wave 2 malicious versions were similarly delisted from the npm registry following disclosure. npm subsequently announced a v12 security overhaul that blocks install scripts (including node-gyp invocations triggered by binding.gyp) by default, with a July 2026 deadline for CI environment migration. Chainguard reported that customers using Chainguard Images — which build from source rather than consuming registry tarballs — were not affected, as the Phantom Gyp technique has no execution surface in source-build pipelines. Security teams advised immediate credential rotation for any environment that installed affected package versions, auditing of GitHub Actions workflow files for injected steps, review of AI coding assistant configuration directories (.claude/, .cursor/, .vscode/, .gemini/) for unexpected files, and monitoring of outbound connections to github.com/oven-sh/bun/releases for Bun binary downloads. StepSecurity's Harden-Runner was cited as capable of detecting the attack via behavioral monitoring of child processes spawned during npm install.","heading":"Response, Mitigations, and Industry Impact","severity":"high","sources":[{"credibility":2,"name":"Miasma Phantom Gyp npm attack: 57 packages, 286 malicious versions hijack CI/CD pipelines — Chainguard","type":"research","url":"https://www.chainguard.dev/unchained/chainguard-artifacts-safe-from-miasma-phantom-gyp-npm-attack"},{"credibility":2,"name":"npm v12 Security Overhaul Blocks Install Scripts by Default — TechTimes","type":"news_article","url":"https://www.techtimes.com/articles/318328/20260613/npm-v12-security-overhaul-blocks-install-scripts-default-july-deadline-ci-migration.htm"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting RedHat npm Packages — Wiz Blog","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"}]},{"content":"Security researchers published the following indicators of compromise. File-based indicators: presence of a binding.gyp file in a pure JavaScript npm package (i.e., a package with no native C/C++ addons); a root-level index.js file exceeding 4 MB that is not referenced by the package's declared main entry point; temporary directories at /tmp/b-* containing a Bun binary; unexpected files at .claude/setup.mjs, .cursor/rules/setup.mdc, .vscode/tasks.json, or .gemini/ config paths in repositories. Behavioral indicators: npm install spawning curl, unzip, or bun as child processes; node-gyp rebuild for packages that declare no native addons; GitHub API calls creating new repositories under liuende501; OIDC token exchange requests not initiated by declared workflow steps. Network indicators: outbound connections to github.com/oven-sh/bun/releases/download/bun-v1.3.13/ during package installation; GitHub API calls creating repositories matching adjective-creature naming patterns. C2 beacon strings: 'thebeautifulmarchoftime', 'IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner', 'firedalazer' (polling keyword), 'Miasma - The Spreading Blight' (GitHub repository description).","heading":"Detection Indicators","severity":"medium","sources":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"Node-gyp Supply Chain Compromise — Snyk","type":"research","url":"https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"},{"credibility":2,"name":"Miasma npm Worm Uses Phantom Gyp to Spread — SOC Prime","type":"research","url":"https://socprime.com/active-threats/miasma-supply-chain-attack-spreads-through-the-phantom-gyp-worm/"}]}],"sources_used":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"Node-gyp Supply Chain Compromise — Snyk","type":"research","url":"https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"},{"credibility":2,"name":"Dozens of Red Hat npm packages targeted in supply chain attack — Cybersecurity Dive","type":"news_article","url":"https://www.cybersecuritydive.com/news/dozens-red-hat-npm-packages-supply-chain-attack/821723/"},{"credibility":2,"name":"Shai-Hulud — Miasma: The Spreading Blight Hits Red Hat npm Packages — JFrog Security Research","type":"research","url":"https://research.jfrog.com/post/shai-hulud-miasma-redhat-cloud-services/"},{"credibility":2,"name":"Miasma: Supply Chain Attack Targeting RedHat npm Packages — Wiz Blog","type":"research","url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"credibility":2,"name":"How 56 npm packages used binding.gyp to steal CI/CD secrets — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/npm-bindinggyp-cicd-secrets"},{"credibility":2,"name":"Phantom Gyp Miasma hit Vapi, ai-sdk-ollama, and 55 more npm packages — Corgea","type":"research","url":"https://corgea.com/research/miasma-phantom-gyp-npm-worm-vapi-ai-sdk-ollama-june-2026"},{"credibility":2,"name":"Miasma Phantom Gyp npm attack: 57 packages, 286 malicious versions hijack CI/CD pipelines — Chainguard","type":"research","url":"https://www.chainguard.dev/unchained/chainguard-artifacts-safe-from-miasma-phantom-gyp-npm-attack"},{"credibility":2,"name":"binding.gyp Supply Chain Attack Compromises Dozens of npm Packages Across Maintainer Accounts — CybersecurityNews","type":"news_article","url":"https://cybersecuritynews.com/binding-gyp-supply-chain-attack-compromises-dozens-of-npm-packages/"},{"credibility":2,"name":"Supply Chain Attack Hits Dozens of npm Packages via binding.gyp — GBHackers","type":"news_article","url":"https://gbhackers.com/dozens-of-npm-packages-via-binding-gyp/"},{"credibility":2,"name":"Miasma npm Worm Uses Phantom Gyp to Spread — SOC Prime","type":"research","url":"https://socprime.com/active-threats/miasma-supply-chain-attack-spreads-through-the-phantom-gyp-worm/"},{"credibility":2,"name":"npm v12 Security Overhaul Blocks Install Scripts by Default — TechTimes","type":"news_article","url":"https://www.techtimes.com/articles/318328/20260613/npm-v12-security-overhaul-blocks-install-scripts-default-july-deadline-ci-migration.htm"},{"credibility":3,"name":"Supply chain compromise: malicious binding.gyp worm — jagreehal/ai-sdk-ollama GitHub Issue #975","type":"community_report","url":"https://github.com/jagreehal/ai-sdk-ollama/issues/975"}],"summary":"In June 2026, a self-propagating npm supply chain worm designated 'Miasma' exploited a novel install-time execution technique called 'Phantom Gyp' — abusing binding.gyp configuration files to trigger malicious code during npm install. The campaign spread across 57 packages and 286+ malicious versions, harvesting developer and CI/CD credentials from npm, GitHub, AWS, GCP, Azure, HashiCorp Vault, and Kubernetes, and then self-propagating by republishing poisoned releases using stolen publishing tokens. The attack poses a direct threat to crypto developers whose CI/CD pipelines manage private keys, wallet seed phrases, and signing infrastructure.","timeline":[{"date":"2026-06-01","event":"Wave 1: Attacker uses a compromised Red Hat employee GitHub account to inject malicious preinstall hooks into 32+ packages (96 versions) across the @redhat-cloud-services npm namespace; Wiz Research identifies the compromise; most malicious versions revoked by 14:00 UTC.","source":"Wiz Blog / JFrog Security Research","source_url":"https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages"},{"date":"2026-06-03","event":"Wave 2 begins at 23:30 UTC: four malicious versions of @vapi-ai/server-sdk published using the Phantom Gyp (binding.gyp) technique; within under two hours, 50+ additional packages in the jagreehal maintainer account and related families are compromised — 57 packages and 286+ malicious versions in total.","source":"StepSecurity / Snyk","source_url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"date":"2026-06-04","event":"StepSecurity publishes initial disclosure naming the technique 'Phantom Gyp' and the campaign 'Miasma'; JFrog publishes analysis tying it to the Shai-Hulud worm lineage; malicious Wave 2 package versions begin to be delisted from the npm registry.","source":"StepSecurity / JFrog Security Research","source_url":"https://research.jfrog.com/post/shai-hulud-miasma-redhat-cloud-services/"},{"date":"2026-06-05","event":"Snyk, ReversingLabs, Corgea, Chainguard, and Wiz publish independent technical analyses; Cybersecurity Dive reports on the Red Hat connection; Red Hat confirms no official products were impacted.","source":"Cybersecurity Dive","source_url":"https://www.cybersecuritydive.com/news/dozens-red-hat-npm-packages-supply-chain-attack/821723/"},{"date":"2026-06-06","event":"JFrog identifies a 'Hades' variant of the campaign extending propagation to PyPI (.pth loader injection), RubyGems (extconf.rb injection), and JFrog Artifactory, and introducing AI assistant prompt injection via jailbreak prompts in Cursor, Copilot, and Claude rule files.","source":"JFrog Security Research","source_url":"https://research.jfrog.com/post/shai-hulud-miasma-redhat-cloud-services/"},{"date":"2026-06-13","event":"npm announces v12 security overhaul that will block install scripts (including binding.gyp-triggered node-gyp invocations) by default, with a July 2026 migration deadline for CI environments.","source":"TechTimes","source_url":"https://www.techtimes.com/articles/318328/20260613/npm-v12-security-overhaul-blocks-install-scripts-default-july-deadline-ci-migration.htm"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 0eebfd09-7afc-4a2d-ad01-4f9e944f48e9copy