A large-scale npm supply chain attack has compromised at least 57 packages across more than 286 malicious versions in a rapid, coordinated campaign that unfolded in under two hours on June 3, 2026.
The attack began at approximately 23:30 UTC with the compromise of @vapi-ai/server-sdk, the official Vapi.ai voice AI SDK with over 408,000 monthly downloads, before quickly expanding to dozens of packages maintained by developer jagreehal and multiple related package families.
Within an hour of the initial breach, attackers had pushed malicious updates to over 50 additional packages, including ai-sdk-ollama, which alone records more than 120,000 monthly downloads.
Other affected ecosystems include autotel, awaitly, executable-stories, node-env-resolver, and wrangler-deploy, indicating a broad and automated propagation strategy targeting high-impact developer tooling.
Security researchers attribute the campaign to a new variant of the Miasma worm, a self-propagating supply chain malware family previously observed compromising Red Hat-associated npm packages just days earlier.
This latest wave introduces a stealthy execution technique dubbed “Phantom Gyp,” which bypasses traditional npm security checks by exploiting the binding.gyp build configuration file instead of relying on preinstall or postinstall scripts.
According to StepSecurity, the attack hinges on a minimal 157-byte binding.gyp file embedded within malicious package versions. When npm detects this file, it automatically invokes node-gyp rebuild, a standard process for compiling native modules.
The attackers weaponized gyp’s command substitution feature to execute a hidden payload during installation, effectively achieving arbitrary code execution without triggering conventional lifecycle script monitoring tools.
Once executed, the malware initiates a multi-stage payload chain. It begins with heavy obfuscation using ROT-based encoding and eval execution, followed by AES-128-GCM decryption of embedded payloads.
A notable component is the rapid download and deployment of the Bun runtime, which is used to execute the final malicious stage outside the Node.js environment, evading many runtime-based detection mechanisms.
Dozens of npm Packages via binding.gyp
Runtime analysis reveals a highly structured kill chain. Within seconds of installation, the malware downloads dependencies, executes obfuscated scripts, escalates privileges using sudo python3, and accesses GitHub Actions runner memory to extract sensitive secrets.
It specifically targets masked secrets by reading the Runner.Worker process memory, allowing it to recover credentials in plaintext form.
The malware demonstrates extensive credential harvesting capabilities across cloud and developer environments. It targets AWS, Google Cloud, Azure, HashiCorp Vault, GitHub tokens, and even local credential stores such as 1Password and gopass.
Extracted secrets are encrypted and exfiltrated via GitHub API calls to attacker-controlled repositories under the account liuende501, which hosts over 200 repositories acting as dead-drop storage.
In addition to credential theft, the campaign introduces a concerning persistence mechanism by poisoning AI coding environments.
The malware injects configuration backdoors into tools such as Claude Code, Cursor, Gemini, and Visual Studio Code.
The package’s package.json declares "main": "./dist/index.js" as the entry point, so the root index.js is never imported by application code.
These modifications execute automatically when developers open affected projects, potentially influencing future AI-generated code and introducing long-term supply chain risk.
The worm also includes autonomous propagation capabilities. Using stolen npm tokens, it enumerates maintainer packages, injects malicious payloads, and republishes them with forged Sigstore provenance, making compromised packages appear legitimate.
Similar propagation routines target RubyGems and GitHub repositories, highlighting a cross-ecosystem infection model.
Network telemetry confirms anomalous outbound connections during installation, including unexpected downloads from GitHub and API calls for data exfiltration.
These behaviors deviate significantly from normal npm install patterns and provide critical detection opportunities.
The scale, speed, and sophistication of this campaign underscore a growing shift toward highly automated, multi-platform supply chain attacks.
Developers and organizations relying on npm packages are advised to audit dependencies, monitor build-time behavior, and implement runtime protections capable of detecting non-traditional execution vectors such as binding.gyp abuse.
Indicators of Compromise
File Hashes (SHA-256)
From [email protected]:
- Package tarball (.tgz):
288f26c2eadcb1a7923fe376d16f5404216cce15d9fc162a4a78574dc7df399a - binding.gyp (157 bytes):
ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90 - Obfuscated root index.js (4.5 MB):
5926b86b642e00672252953eb30d8f75cfb7797fe3118bd6fa2cfbee92905d61 - Decrypted Bun loader (907 bytes):
ceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108 - Decrypted main payload (668 KB):
da39146ef451d1b174a24d00b1e2a45cd38d54e849737f8f35333dcb22175707
From @vapi-ai/server-sdk:
- binding.gyp (identical across all versions):
ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90 - index.js in v1.2.1 (4,870,718 bytes):
e3dbe63aded45278f49c4746ab938ed9472b36def79b43e2dd2d7eff014481d1 - index.js in v0.11.2 (4,496,586 bytes):
82d83274680df928fdda296a348e01802f595e412308c399565c320df444052a
C2 Infrastructure
- Exfil account:
github.com/liuende501(236 repos, created programmatically). - Repo descriptions: “Miasma – The Spreading Blight” and reversed “Shai-Hulud: Here We Go Again”.
- Exfil path pattern:
repos/liuende501/{repo}/contents/results/results-{timestamp}.json - C2 beacon keyword:
thebeautifulmarchoftime(GitHub commit search). - Token validation keyword:
IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner - Fake User-Agent:
python-requests/2.31.0.
Network Indicators
github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-*.zip
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
