The Phantom Gyp Technique
A new supply chain attack targeting the npm registry has been discovered using a previously overlooked infection vector. Instead of hiding malicious code in package.json scripts that are commonly scanned by security tools, the attackers weaponized the binding.gyp configuration file. This file is used by npm to trigger node gyp rebuild when a package contains native C or C++ code. The attacker embedded a shell command using gyp’s command substitution syntax, which silently executes during the npm install process while returning a fake source filename to avoid build errors. Security researchers at StepSecurity named this technique Phantom Gyp and identified it as the delivery mechanism for a new variant of the Miasma worm.
Impact and Scope of the Attack
The campaign compromised 57 npm packages across more than 286 malicious versions in a rapid two hour window on June 3, 2026. The primary target was @vapi-ai/server-sdk, the official Vapi.ai voice AI server SDK with over 408,000 monthly downloads, which was struck first. Within an hour, more than 50 additional packages belonging to the same maintainer were also poisoned, including ai-sdk-ollama with over 120,000 monthly downloads. The payload is a self replicating worm that spreads through the registry by infecting new packages. This attack followed a similar campaign just two days earlier that hit 32 packages under a Red Hat npm namespace. The attacker left a taunt in 195 GitHub repository descriptions, decoding to a phrase referencing previous security research on the Miasma worm, indicating a calculated and persistent threat.
Source: Cyber Security News
