Phantom Gyp npm Supply Chain Attack (June 2026)
Summary
On June 3, 2026, attackers deployed a self-replicating worm across 57 npm packages in 286 malicious versions within under two hours, using a novel technique dubbed 'Phantom Gyp' that abused binding.gyp build configuration files to execute malicious code during npm install while bypassing all mainstream lifecycle-script security scanners. The campaign — classified as the latest wave of the Miasma/Shai-Hulud worm family — targeted CI/CD credential stores across AWS, GCP, Azure, GitHub, Kubernetes, and developer password managers, and included novel persistence mechanisms that injected backdoors into AI coding assistant configurations. The highest-profile victim was @vapi-ai/server-sdk (408,000+ monthly downloads), though Vapi confirmed the four compromised versions received zero downloads before removal.
Connected Entities
1 entities · 10 linked investigationsTimeline(11 events)
2025-09
First Shai-Hulud self-replicating npm worm observed; attributed to threat actor group TeamPCP.
SOC Prime2026-05-12
TeamPCP publishes full Mini Shai-Hulud worm source code to GitHub alongside BreachForums posts encouraging independent campaigns, open-sourcing the attack toolkit.
SecurityWeek2026-06-01
Miasma worm compromises 32 packages across 96 malicious versions in the @redhat-cloud-services npm namespace within 72 seconds. Combined weekly downloads approximately 116,991.
The Hacker News2026-06-03
At approximately 22:56 UTC, a compromised developer personal GitHub access token is used to begin pushing malicious changes to Vapi.ai repositories, disabling branch protections.
Vapi.ai official incident response2026-06-03
At approximately 23:30 UTC, four malicious versions of @vapi-ai/server-sdk (0.11.1, 0.11.2, 1.2.1, 1.2.2) are published to npm. The Phantom Gyp campaign begins.
Vapi.ai official incident response2026-06-03
Within one hour of the initial breach, attackers pivot to the jagreehal maintainer account and publish poisoned versions of 55+ additional packages across the autotel, awaitly, ai-sdk-ollama, and related families.
Snyk2026-06-03
Full 57-package, 286-malicious-version campaign completes in under two hours. Phantom Gyp technique identified: 157-byte binding.gyp file abuses GYP command substitution to execute payload, bypassing all lifecycle-script scanners.
StepSecurity2026-06-03
At approximately 19:20 PT (02:20 UTC June 4), Vapi removes the four malicious @vapi-ai/server-sdk versions and rolls back compromised repository changes. Zero downloads confirmed for the affected versions.
Vapi.ai official incident response2026-06-04
Vapi learns of StepSecurity's public disclosure of the broader Miasma attack connecting the @vapi-ai incident to the wider Phantom Gyp campaign.
Vapi.ai official incident response2026-06-05
StepSecurity, Snyk, Corgea, and The Hacker News publish detailed technical analyses of the Phantom Gyp technique, naming the campaign and documenting the full four-stage obfuscated payload.
The Hacker News2026-06-05
Miasma worm propagates to 73 Microsoft GitHub repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations using previously stolen contributor credentials. GitHub disables affected repositories in a 105-second automated sweep.
The Hacker NewsDecision Log
- hash: AeH6MFcdZCwYWbAgijXQYWKkm78YoLAuozoF9bhEfZ4s
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 6/18/2026, 11:05:29 PM
last updated: 6/18/2026, 11:05:39 PM
avoid.net — verified advice for a post-truth world