Audit log

Every state-changing event for Phantom Gyp npm Supply Chain Attack (June 2026): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-18 23:05:39Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 427,384,392

   sig

   32G228v6HUnq…YLxFmpTjcopyexplorer ↗

   hash

   AeH6MFcdZCwY…9bhEfZ4scopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (30546 B) ▸

   {"actor":"system:backfill","investigation_id":"d4524b24-44b4-47fc-ab61-dc9f6c9d99b9","kind":"publish","page_slug":"phantom-gyp-npm-supply-chain-attack-june-2026","published_at":"2026-06-18T23:05:39.638Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Phantom Gyp npm Supply Chain Attack (June 2026)","sections":[{"content":"On June 3, 2026, beginning at approximately 23:30 UTC, threat actors published 286 malicious package versions across 57 npm packages in a rolling campaign that concluded in under two hours. The campaign is formally named 'Phantom Gyp' by security researchers and is identified as the eighth distinct wave of the Miasma/Shai-Hulud self-replicating worm lineage, which originated in September 2025. The attack is distinct from — though related to — a prior June 1, 2026 Miasma wave that compromised 32 packages across the @redhat-cloud-services npm namespace. The threat actor group known as TeamPCP had published the full Mini Shai-Hulud worm source code to GitHub on May 12, 2026, alongside BreachForums posts encouraging independent campaigns, significantly complicating attribution for subsequent waves including the June 3 incident. The attack targeted developers building voice AI applications, general JavaScript tooling, and CI/CD automation, with primary victims including @vapi-ai/server-sdk, ai-sdk-ollama, and approximately 55 packages across the autotel/awaitly/executable-stories/node-env-resolver family maintained under the account 'jagreehal'.","heading":"Attack Overview","severity":"critical","sources":[{"credibility":2,"name":"Node-gyp Supply Chain Compromise: Self-Propagating npm Worm via binding.gyp — Snyk","type":"research","url":"https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"},{"credibility":2,"name":"Phantom Gyp Miasma hit Vapi, ai-sdk-ollama, and 55 more npm packages — Corgea","type":"research","url":"https://corgea.com/research/miasma-phantom-gyp-npm-worm-vapi-ai-sdk-ollama-june-2026"},{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html"},{"credibility":2,"name":"Shai-Hulud Worm Hits NPM and PyPI Supply Chains — SOC Prime","type":"research","url":"https://socprime.com/active-threats/shai-hulud-here-we-go-again-worm-by-teampcp-hits-npm-and-pypi/"}]},{"content":"The defining innovation of this attack wave is the exploitation of npm's native module build path rather than the lifecycle script fields (preinstall, postinstall, prepare) that security tooling conventionally audits. The technique was named 'Phantom Gyp' by researchers at Corgea and StepSecurity. When npm detects a binding.gyp file in a package root, it automatically invokes 'node-gyp rebuild' as part of its native module compilation process. The attackers embedded a 157-byte malicious binding.gyp that used GYP's command substitution syntax '<!(...)' to execute 'node index.js > /dev/null 2>&1 && echo stub.c', triggering arbitrary code execution during installation without any entry appearing in the package.json scripts field. This rendered the attack invisible to all tools that scan package.json lifecycle hooks, which represented the dominant detection approach for supply chain malware at the time. The payload itself was a 4.5 MB obfuscated loader operating through four stages: Stage 1 applied a ROT-N Caesar cipher (shifts observed between ROT-9 and ROT-20) wrapping an AES-128-GCM encrypted payload; Stage 2 decrypted and extracted the core malware; Stage 3 downloaded a standalone Bun v1.3.13 runtime binary from GitHub releases, executing subsequent code outside Node.js process monitoring; Stage 4 launched the final stealer, obfuscated with Obfuscator.io featuring a 2,306-entry encrypted string table. The full chain from 'npm install' invocation to active credential exfiltration was measured at approximately 13.4 seconds in controlled analysis.","heading":"Phantom Gyp Technique: Technical Analysis","severity":"critical","sources":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"Node-gyp Supply Chain Compromise — Snyk","type":"research","url":"https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"},{"credibility":2,"name":"Miasma Phantom Gyp npm attack: 57 packages, 286 malicious versions — Chainguard","type":"research","url":"https://www.chainguard.dev/unchained/chainguard-artifacts-safe-from-miasma-phantom-gyp-npm-attack"}]},{"content":"The worm's stealer module was purpose-built for CI/CD environments, targeting credential stores across the following platforms: npm publish tokens; GitHub personal access tokens and GitHub Actions OIDC tokens; AWS access keys and IMDSv2 metadata service tokens; GCP service account keys; Azure managed identity tokens and OIDC tokens; HashiCorp Vault tokens; Kubernetes service account tokens; RubyGems API keys; SSH private keys; and password manager stores including 1Password, pass, and gopass. A particularly sophisticated technique extracted secrets directly from GitHub Actions runner process memory using the shell pattern 'tr -d \\0 | grep -aoE', bypassing GitHub's built-in secret masking mechanism which operates at the logging layer rather than the memory layer. According to StepSecurity's analysis, this means 'every secret the runner can access should be considered compromised' for any developer who installed an affected package in a CI context. Exfiltration was routed through GitHub itself as dead-drop infrastructure: the attacker-controlled account 'liuende501' hosted 236 programmatically created repositories that received AES-encrypted credential bundles, blending exfiltration traffic with normal GitHub API activity. The C2 channel included a validation keyword 'thebeautifulmarchoftime' used by the malware to confirm active control. One threat message embedded in the malware read 'IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner', though researchers assessed this as intimidation rather than a credible capability.","heading":"Credential Harvesting and CI/CD Targeting","severity":"critical","sources":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"Node-gyp Supply Chain Compromise — Snyk","type":"research","url":"https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"},{"credibility":2,"name":"600,000 Monthly Downloads Affected: Miasma Supply Chain Attack Is Back on npm — OX Security","type":"research","url":"https://www.ox.security/blog/600000-monthly-downloads-affected-miasma-supply-chain-attack-is-back-on-npm/"}]},{"content":"The Phantom Gyp payload was designed as a self-replicating worm with propagation engines targeting multiple software ecosystems. Using stolen npm authentication tokens, the worm enumerated every package owned by a compromised maintainer account, injected the binding.gyp payload into each package's source, and republished with forged Sigstore SLSA provenance attestations to evade integrity verification. On the RubyGems platform, the worm injected equivalent malicious code into 'extconf.rb', the Ruby native extension build file that mirrors binding.gyp's role. On GitHub, the worm used stolen personal access tokens to commit backdoor files to victim repositories via the GraphQL API, inserting itself into downstream repositories. A novel propagation surface was the injection of persistent backdoor instructions into AI coding assistant configuration files: '.claude/setup.mjs' for Anthropic Claude Code, '.cursor/rules/setup.mdc' for Cursor AI, and '.vscode/tasks.json' with 'runOn: folderOpen' for Visual Studio Code. These files execute whenever developers open affected projects in AI-assisted IDEs, turning the development environment itself into a persistence and re-infection vector. The worm's repository descriptions on the liuende501 exfiltration account taunted defenders with reversed strings reading 'Shai-Hulud: Here We Go Again', referencing the prior RedHat Cloud Services compromise.","heading":"Self-Propagation: Worm Mechanics","severity":"critical","sources":[{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"Phantom Gyp Miasma hit Vapi, ai-sdk-ollama, and 55 more npm packages — Corgea","type":"research","url":"https://corgea.com/research/miasma-phantom-gyp-npm-worm-vapi-ai-sdk-ollama-june-2026"},{"credibility":2,"name":"Shai-Hulud: Miasma — When a Supply-Chain Worm Learned to Hijack AI Coding Agents — Security Joes","type":"research","url":"https://blog.securityjoes.com/post/shai-hulud-miasma-when-a-supply-chain-worm-learned-to-hijack-ai-coding-agents"}]},{"content":"A total of 57 npm packages were compromised across 286 malicious versions. The highest-traffic victims by weekly download volume were: @vapi-ai/server-sdk (approximately 86,500 weekly downloads; 408,000+ monthly downloads), compromised in versions 0.11.1, 0.11.2, 1.2.1, and 1.2.2; and ai-sdk-ollama (approximately 36,900 weekly downloads; 120,000+ monthly downloads), compromised in versions 0.13.1, 1.1.1, 2.2.1, and 3.8.5. Combined weekly downloads across the two highest-traffic packages exceeded 500,000. The remaining 55 packages included the autotel family (approximately 25 packages), awaitly, eslint-plugin-awaitly, executable-stories, node-env-resolver, and wrangler-deploy variants, predominantly traced to the npm maintainer account 'jagreehal'. The inflated version numbers across the autotel family — jumping discontinuously from legitimate versions — were consistent with automated republishing by the worm's npm propagation engine. According to Vapi's official incident response post, the four compromised @vapi-ai/server-sdk versions were removed from npm within approximately two hours and fifty minutes of publication, and recorded zero actual downloads during the exposure window.","heading":"Affected Packages and Download Exposure","severity":"high","sources":[{"credibility":1,"name":"Our response to the June 3, 2026 supply chain incident — Vapi.ai","type":"official","url":"https://vapi.ai/blog/our-response-to-june-3-supply-chain-incident"},{"credibility":2,"name":"Node-gyp Supply Chain Compromise — Snyk","type":"research","url":"https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"},{"credibility":2,"name":"Miasma Phantom Gyp npm attack: 57 packages, 286 malicious versions — Chainguard","type":"research","url":"https://www.chainguard.dev/unchained/chainguard-artifacts-safe-from-miasma-phantom-gyp-npm-attack"},{"credibility":2,"name":"Phantom Gyp Miasma hit Vapi, ai-sdk-ollama, and 55 more npm packages — Corgea","type":"research","url":"https://corgea.com/research/miasma-phantom-gyp-npm-worm-vapi-ai-sdk-ollama-june-2026"}]},{"content":"Vapi.ai published an official incident response post confirming that an unexpired access token from a developer's personal GitHub account was the initial access vector. During a 34-minute window between 22:56 and 23:30 UTC on June 3, 2026, the compromised account pushed malicious changes to Vapi repositories. The compromised account had elevated access that allowed it to disable branch protections on affected repositories, enabling direct pushes that would ordinarily be blocked. Four npm versions — @vapi-ai/server-sdk 0.11.1, 0.11.2, 1.2.1, and 1.2.2 — were published at approximately 23:30 UTC. Vapi removed the malicious versions and rolled back changes by approximately 7:20 PM PT (02:20 UTC June 4), approximately two hours and fifty minutes after publication. Vapi confirmed zero downloads of the four affected versions occurred during the exposure window. Vapi's stated remediation actions included: immediate removal of the malicious npm versions; revocation of the compromised GitHub account's access; deletion of compromised branches; audit of all GitHub users, access patterns, and OAuth applications; strengthening of branch protections on SDK default branches; and precautionary rotation of internal Vapi secrets and keys. Vapi stated that no customer data, customer credentials, or production platform systems were breached.","heading":"Vapi.ai Incident Response","severity":"medium","sources":[{"credibility":1,"name":"Our response to the June 3, 2026 supply chain incident — Vapi.ai","type":"official","url":"https://vapi.ai/blog/our-response-to-june-3-supply-chain-incident"},{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"}]},{"content":"The June 3 Phantom Gyp wave is the eighth identified campaign in the Shai-Hulud/Miasma worm lineage, which researchers trace to September 2025. The threat actor group TeamPCP is associated with developing and distributing the original Shai-Hulud worm toolkit. On May 12, 2026, TeamPCP published the full Mini Shai-Hulud source code to GitHub alongside BreachForums posts encouraging independent threat actors to deploy their own campaigns. This open-sourcing event significantly complicated attribution for subsequent waves. Just two days before the Phantom Gyp attack, on June 1, 2026, a separate Miasma variant compromised 32 packages across 96 malicious versions in the @redhat-cloud-services npm namespace within 72 seconds, affecting packages with a combined weekly download count of approximately 116,991. On June 5, 2026, two days after the Phantom Gyp attack, a further Miasma propagation wave compromised 73 Microsoft GitHub repositories across the Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations; GitHub disabled the affected repositories in an automated sweep taking 105 seconds, though the disabling of azure/functions-action disrupted CI/CD pipelines for organizations relying on that official GitHub Action. A concurrent campaign dubbed IronWorm also targeted npm packages via compromised account 'asteroiddao', deploying a Rust ELF binary information stealer with an eBPF kernel rootkit capable of targeting 86 environment variables including cryptocurrency wallet credentials.","heading":"Broader Miasma/Shai-Hulud Campaign Context","severity":"high","sources":[{"credibility":2,"name":"Miasma Supply Chain Attack Compromises Red Hat npm Packages — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html"},{"credibility":2,"name":"Miasma Worm Hits 73 Microsoft GitHub Repositories — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html"},{"credibility":2,"name":"Shai-Hulud Worm Hits NPM and PyPI Supply Chains — SOC Prime","type":"research","url":"https://socprime.com/active-threats/shai-hulud-here-we-go-again-worm-by-teampcp-hits-npm-and-pypi/"},{"credibility":2,"name":"IronWorm and New Miasma Worm Variant Hit npm — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html"},{"credibility":2,"name":"Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/over-100-npm-pypi-packages-hit-in-new-shai-hulud-supply-chain-attacks/"}]},{"content":"The Phantom Gyp attack is directly relevant to the crypto and web3 developer ecosystem for several reasons. First, packages such as @vapi-ai/server-sdk and ai-sdk-ollama are widely used in AI-agent and voice-AI application stacks that interface with blockchain services and crypto payment infrastructure. Second, the IronWorm campaign running concurrently with Phantom Gyp explicitly targeted 86 environment variables including cryptocurrency wallet credentials, private keys, and seed phrases stored in developer environments. Third, the credential harvesting scope — covering AWS, GCP, Azure, GitHub Actions secrets, and Kubernetes service tokens — directly threatens the CI/CD pipelines used by crypto exchanges, DeFi protocols, and wallet providers to deploy smart contracts and backend infrastructure. Fourth, the AI coding assistant poisoning vectors (.claude/setup.mjs, .cursor/rules/) specifically target developers using AI-assisted tooling, a rapidly growing workflow in the web3 development community. Any developer working in a JavaScript-based crypto or web3 project who runs 'npm install' in CI/CD against a lockfile containing one of the 57 affected packages at a compromised version should treat all CI/CD credentials as compromised, regardless of whether the malware was observed executing.","heading":"Relevance to Crypto and Web3 Developers","severity":"high","sources":[{"credibility":2,"name":"Node-gyp Supply Chain Compromise — Snyk","type":"research","url":"https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"},{"credibility":2,"name":"IronWorm and New Miasma Worm Variant Hit npm — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html"},{"credibility":2,"name":"Miasma Phantom Gyp npm attack — Chainguard","type":"research","url":"https://www.chainguard.dev/unchained/chainguard-artifacts-safe-from-miasma-phantom-gyp-npm-attack"}]},{"content":"Security researchers from Snyk, StepSecurity, and Corgea published the following indicators of compromise and detection signals. In the file system: presence of a binding.gyp file containing the '<!(', sequence in any pure-JavaScript package that declares no native dependencies; root-level index.js files exceeding 1 MB where the declared package 'main' entry is under 50 KB; and presence of AI assistant configuration files (.claude/setup.mjs, .cursor/rules/setup.mdc, .vscode/tasks.json with runOn:folderOpen) not present in the canonical upstream repository. In process activity: unexpected invocations of 'node-gyp rebuild' during package installation; child processes including curl, unzip, or bun spawned from within npm install; and outbound HTTPS connections to github.com/oven-sh/bun/releases or api.github.com originating from CI runners during dependency installation. Recommended remediation steps for affected organizations: (1) Remove AI assistant configuration backdoor files before rotating any credentials, as these can re-execute and harvest newly rotated values; (2) Perform a clean install using 'npm install --ignore-scripts' to avoid re-triggering any remaining malware; (3) Rotate all credentials reachable from affected CI/CD environments, including npm tokens, GitHub PATs, AWS access keys, GCP service account keys, Azure managed identity tokens, Vault tokens, and Kubernetes service tokens; (4) Audit GitHub repositories and Actions workflow files for unauthorized commits and newly added workflow files; (5) Search for repositories created under the 'liuende501' GitHub account in outbound API logs; (6) Implement lockfile integrity verification and pin all dependencies with exact version hashes in CI/CD; and (7) Restrict CI/CD OIDC token scopes to the minimum required permissions.","heading":"Detection Indicators and Remediation","severity":"high","sources":[{"credibility":2,"name":"Node-gyp Supply Chain Compromise — Snyk","type":"research","url":"https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"},{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"Phantom Gyp Miasma hit Vapi, ai-sdk-ollama, and 55 more npm packages — Corgea","type":"research","url":"https://corgea.com/research/miasma-phantom-gyp-npm-worm-vapi-ai-sdk-ollama-june-2026"}]},{"content":"Attribution for the June 3 Phantom Gyp wave remains uncertain as of the date of this report. The campaign is technically linked to the Miasma/Shai-Hulud worm family, and the C2 infrastructure taunt messages referencing 'Shai-Hulud' suggest continuity with prior waves. TeamPCP is the threat actor group associated with the original Shai-Hulud worm toolkit development and with a May 2026 PyPI attack; however, TeamPCP's May 12, 2026 open-sourcing of the Mini Shai-Hulud codebase on GitHub and BreachForums means independent actors could have deployed the June 3 wave without any direct connection to TeamPCP. Researchers at The Hacker News and SecurityWeek both characterized attribution as indeterminate given the open-source nature of the toolkit. The exfiltration infrastructure (GitHub account liuende501, 236 staging repositories) was assessed as attacker-controlled based on the programmatic repository structure and taunt strings, but no identity has been publicly confirmed. The use of forged Sigstore SLSA provenance attestations to disguise malicious republished packages represents a sophisticated understanding of modern supply chain integrity tooling.","heading":"Attribution and Threat Actor Assessment","severity":"medium","sources":[{"credibility":2,"name":"Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/over-100-npm-pypi-packages-hit-in-new-shai-hulud-supply-chain-attacks/"},{"credibility":2,"name":"Shai-Hulud: Miasma — When a Supply-Chain Worm Learned to Hijack AI Coding Agents — Security Joes","type":"research","url":"https://blog.securityjoes.com/post/shai-hulud-miasma-when-a-supply-chain-worm-learned-to-hijack-ai-coding-agents"},{"credibility":2,"name":"Shai-Hulud Worm Hits NPM and PyPI Supply Chains — SOC Prime","type":"research","url":"https://socprime.com/active-threats/shai-hulud-here-we-go-again-worm-by-teampcp-hits-npm-and-pypi/"}]}],"sources_used":[{"credibility":2,"name":"Node-gyp Supply Chain Compromise: Self-Propagating npm Worm via binding.gyp — Snyk","type":"research","url":"https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"},{"credibility":2,"name":"Phantom Gyp Miasma hit Vapi, ai-sdk-ollama, and 55 more npm packages — Corgea","type":"research","url":"https://corgea.com/research/miasma-phantom-gyp-npm-worm-vapi-ai-sdk-ollama-june-2026"},{"credibility":2,"name":"Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"credibility":2,"name":"binding.gyp Supply Chain Attack Compromises Dozens of npm Packages — Cybersecurity News","type":"news_article","url":"https://cybersecuritynews.com/binding-gyp-supply-chain-attack-compromises-dozens-of-npm-packages/"},{"credibility":1,"name":"Our response to the June 3, 2026 supply chain incident — Vapi.ai","type":"official","url":"https://vapi.ai/blog/our-response-to-june-3-supply-chain-incident"},{"credibility":2,"name":"Miasma Phantom Gyp npm attack: 57 packages, 286 malicious versions — Chainguard","type":"research","url":"https://www.chainguard.dev/unchained/chainguard-artifacts-safe-from-miasma-phantom-gyp-npm-attack"},{"credibility":2,"name":"IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html"},{"credibility":2,"name":"Miasma Worm Hits 73 Microsoft GitHub Repositories — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html"},{"credibility":2,"name":"Miasma Supply Chain Attack Compromises Red Hat npm Packages — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html"},{"credibility":2,"name":"Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks — SecurityWeek","type":"news_article","url":"https://www.securityweek.com/over-100-npm-pypi-packages-hit-in-new-shai-hulud-supply-chain-attacks/"},{"credibility":2,"name":"Shai-Hulud: Miasma — When a Supply-Chain Worm Learned to Hijack AI Coding Agents — Security Joes","type":"research","url":"https://blog.securityjoes.com/post/shai-hulud-miasma-when-a-supply-chain-worm-learned-to-hijack-ai-coding-agents"},{"credibility":2,"name":"Shai-Hulud Worm Hits NPM and PyPI Supply Chains — SOC Prime","type":"research","url":"https://socprime.com/active-threats/shai-hulud-here-we-go-again-worm-by-teampcp-hits-npm-and-pypi/"},{"credibility":2,"name":"Miasma npm Worm Uses Phantom Gyp to Spread — SOC Prime","type":"research","url":"https://socprime.com/active-threats/miasma-supply-chain-attack-spreads-through-the-phantom-gyp-worm/"},{"credibility":2,"name":"Supply Chain Attack Hits Dozens of npm Packages via binding.gyp — GBHackers","type":"news_article","url":"https://gbhackers.com/dozens-of-npm-packages-via-binding-gyp/"},{"credibility":2,"name":"Miasma NPM Supply Chain Attack: Red Hat Cloud Services npm Packages — Phoenix Security","type":"research","url":"https://phoenix.security/miasma-redhat-cloud-services-npm-supply-chain-shai-hulud-variant/"}],"summary":"On June 3, 2026, attackers deployed a self-replicating worm across 57 npm packages in 286 malicious versions within under two hours, using a novel technique dubbed 'Phantom Gyp' that abused binding.gyp build configuration files to execute malicious code during npm install while bypassing all mainstream lifecycle-script security scanners. The campaign — classified as the latest wave of the Miasma/Shai-Hulud worm family — targeted CI/CD credential stores across AWS, GCP, Azure, GitHub, Kubernetes, and developer password managers, and included novel persistence mechanisms that injected backdoors into AI coding assistant configurations. The highest-profile victim was @vapi-ai/server-sdk (408,000+ monthly downloads), though Vapi confirmed the four compromised versions received zero downloads before removal.","timeline":[{"date":"2025-09","event":"First Shai-Hulud self-replicating npm worm observed; attributed to threat actor group TeamPCP.","source":"SOC Prime","source_url":"https://socprime.com/active-threats/shai-hulud-here-we-go-again-worm-by-teampcp-hits-npm-and-pypi/"},{"date":"2026-05-12","event":"TeamPCP publishes full Mini Shai-Hulud worm source code to GitHub alongside BreachForums posts encouraging independent campaigns, open-sourcing the attack toolkit.","source":"SecurityWeek","source_url":"https://www.securityweek.com/over-100-npm-pypi-packages-hit-in-new-shai-hulud-supply-chain-attacks/"},{"date":"2026-06-01","event":"Miasma worm compromises 32 packages across 96 malicious versions in the @redhat-cloud-services npm namespace within 72 seconds. Combined weekly downloads approximately 116,991.","source":"The Hacker News","source_url":"https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html"},{"date":"2026-06-03","event":"At approximately 22:56 UTC, a compromised developer personal GitHub access token is used to begin pushing malicious changes to Vapi.ai repositories, disabling branch protections.","source":"Vapi.ai official incident response","source_url":"https://vapi.ai/blog/our-response-to-june-3-supply-chain-incident"},{"date":"2026-06-03","event":"At approximately 23:30 UTC, four malicious versions of @vapi-ai/server-sdk (0.11.1, 0.11.2, 1.2.1, 1.2.2) are published to npm. The Phantom Gyp campaign begins.","source":"Vapi.ai official incident response","source_url":"https://vapi.ai/blog/our-response-to-june-3-supply-chain-incident"},{"date":"2026-06-03","event":"Within one hour of the initial breach, attackers pivot to the jagreehal maintainer account and publish poisoned versions of 55+ additional packages across the autotel, awaitly, ai-sdk-ollama, and related families.","source":"Snyk","source_url":"https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"},{"date":"2026-06-03","event":"Full 57-package, 286-malicious-version campaign completes in under two hours. Phantom Gyp technique identified: 157-byte binding.gyp file abuses GYP command substitution to execute payload, bypassing all lifecycle-script scanners.","source":"StepSecurity","source_url":"https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm"},{"date":"2026-06-03","event":"At approximately 19:20 PT (02:20 UTC June 4), Vapi removes the four malicious @vapi-ai/server-sdk versions and rolls back compromised repository changes. Zero downloads confirmed for the affected versions.","source":"Vapi.ai official incident response","source_url":"https://vapi.ai/blog/our-response-to-june-3-supply-chain-incident"},{"date":"2026-06-04","event":"Vapi learns of StepSecurity's public disclosure of the broader Miasma attack connecting the @vapi-ai incident to the wider Phantom Gyp campaign.","source":"Vapi.ai official incident response","source_url":"https://vapi.ai/blog/our-response-to-june-3-supply-chain-incident"},{"date":"2026-06-05","event":"StepSecurity, Snyk, Corgea, and The Hacker News publish detailed technical analyses of the Phantom Gyp technique, naming the campaign and documenting the full four-stage obfuscated payload.","source":"The Hacker News","source_url":"https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html"},{"date":"2026-06-05","event":"Miasma worm propagates to 73 Microsoft GitHub repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations using previously stolen contributor credentials. GitHub disables affected repositories in a 105-second automated sweep.","source":"The Hacker News","source_url":"https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 47f2d005-5912-49b3-87fa-4c6adc41351dcopy