Phantom Gyp Attack: Self-Replicating Worm Compromises npm Packages via binding.gyp Exploit
In a sophisticated supply chain attack, a self-replicating worm has infiltrated the npm registry by exploiting the binding.gyp configuration file, a method that has largely evaded traditional security measures. Unlike typical attacks that manipulate package.json scripts, this campaign leverages binding.gyp to execute malicious code during the npm install process, catching many developers off guard.
The attack unfolded rapidly, compromising 57 npm packages across more than 286 malicious versions within a two-hour window on June 3, 2026. The primary target was @vapi-ai/server-sdk, the official Vapi.ai voice AI server SDK, which boasts over 408,000 monthly downloads. The initial breach occurred at 23:30 UTC, and within an hour, over 50 additional packages maintained by jagreehal were also compromised, including ai-sdk-ollama, with more than 120,000 monthly downloads.
Security researchers at StepSecurity have dubbed this technique Phantom Gyp. Their analysis reveals that the attacker utilized a 157-byte binding.gyp file to trigger code execution during installation, effectively bypassing the preinstall and postinstall lifecycle checks that most security scanners monitor. This method exploits npm’s automatic execution of node-gyp rebuild when it detects a binding.gyp file, which is typically used for packages containing native C or C++ code. By embedding a shell command within gyp’s command substitution syntax, the attacker was able to launch a malicious payload while returning a fake source filename, ensuring the build process appeared error-free. Consequently, tools that only scan package.json for install scripts failed to detect any anomalies.
The payload is a new variant of the Miasma worm, a self-spreading malware family that had previously targeted 32 packages under the @redhat-cloud-services npm namespace just two days earlier. The attacker left a taunting message in 195 GitHub repository descriptions, a reversed string that decodes to Shai-Hulud: Here We Go Again, referencing StepSecurity’s prior analysis of the Red Hat incident. This indicates a calculated and persistent attack strategy.
Once activated, the malware functions as a comprehensive credential harvester, specifically designed for CI/CD environments. It targets AWS keys, GCP credentials, Azure tokens, HashiCorp Vault tokens, GitHub Actions secrets, and 1Password vaults. Notably, it scrapes GitHub Actions runner memory directly to extract masked secrets in their unmasked form, posing a significant threat to developers and organizations relying on these services.
The malicious root index.js file is notably large at 4.5 MB, compared to the legitimate package entry point of only 27 KB, a size discrepancy that should raise immediate suspicion. The payload is concealed under four layers of obfuscation, including a ROT cipher, AES-128-GCM encryption, and a runtime-switching technique that downloads the Bun JavaScript runtime in under one second to execute the final stage outside of Node.js. This clever maneuver specifically evades security tools that monitor Node.js process activity.
