On June 3, 2026, a significant and swiftly executed npm supply chain attack compromised a staggering 57 different packages, delivering more than 286 malicious versions in a coordinated effort that transpired in less than two hours. This incident marks a troubling development in the landscape of cybersecurity, highlighting vulnerabilities within software supply chains that can be rapidly exploited.
The attack initiated around 23:30 UTC with the compromise of the @vapi-ai/server-sdk, the official SDK of Vapi.ai, a voice AI platform featuring over 408,000 monthly downloads. This initial breach set off a wave of subsequent compromises involving numerous packages maintained by the developer known as jagreehal, along with various related package families. In a mere hour following the first compromise, attackers had managed to push malicious updates to over 50 additional packages, including ai-sdk-ollama, which itself boasts more than 120,000 monthly downloads.
The fallout from this breach extended beyond individual packages; other related ecosystems, such as autotel, awaitly, executable-stories, node-env-resolver, and wrangler-deploy, were also infiltrated. This indicates a broad and automated propagation strategy that targeted high-impact developer tools, raising significant alarms about the overall security of the npm ecosystem.
Security researchers have linked this recent assault to a new variant of the Miasma worm, a form of self-propagating supply chain malware that had previously been observed compromising npm packages associated with Red Hat just days before. Among the more alarming aspects of this new wave of attacks is the introduction of a stealthy execution method dubbed “Phantom Gyp.” This technique enables attackers to bypass conventional npm security checks by leveraging vulnerabilities in the binding.gyp build configuration file, instead of utilizing the typical preinstall or postinstall scripts.
According to reports from StepSecurity, the attack relies on a remarkably small yet exceedingly impactful binding.gyp file measuring only 157 bytes. When this file is detected by npm, it triggers the node-gyp rebuild process, which is standard for compiling native modules. The attackers have cleverly weaponized the command substitution features within gyp to execute hidden payloads during installation, effectively reaching arbitrary code execution without arousing the suspicions of conventional lifecycle script monitoring tools.
The malware follows a multi-stage payload chain post-execution, commencing with heavy obfuscation techniques that employ ROT-based encoding and eval execution. Following this obfuscation, it then utilizes AES-128-GCM decryption to access embedded payloads, effectively ensuring a covert operation. A particularly notable tactic included the rapid downloading and deployment of the Bun runtime, which allows the final malicious stages to execute outside of the Node.js environment, successfully circumventing many runtime detection methods.
Runtime analysis of this malware indicates a carefully structured kill chain. Within seconds of installation, the malware not only downloads additional dependencies but also executes obfuscated scripts, escalates privileges via sudo python3, and accesses GitHub Actions runner memory to retrieve sensitive secrets. This malicious software specifically targets masked secrets, facilitating the recovery of confidential credentials in plaintext from the Runner.Worker process memory.
This sophisticated malware demonstrates significant credential harvesting capabilities across various cloud and developer environments. It specifically hunts for credentials from AWS, Google Cloud, Azure, HashiCorp Vault, GitHub tokens, and even local storage solutions such as 1Password and gopass. Once these secrets are extracted, they are encrypted and exfiltrated using GitHub API calls to repositories controlled by the attackers, specifically under the account liuende501. This account, which hosts over 200 repositories, serves as a “dead-drop” location for the stolen data.
In addition to credential theft, the campaign introduces a highly concerning persistence mechanism that poisons AI coding environments. The malware injects configuration backdoors into tools like Claude Code, Cursor, Gemini, and Visual Studio Code, which allows for continued exploitation. This persistent alteration ensures that the package’s package.json file designates “./dist/index.js” as the entry point, meaning that the root index.js file is never directly imported into application code. Consequently, these modifications execute automatically each time a developer opens affected projects, further embedding malicious influences into future AI-generated code and presenting long-term supply chain risks.
Furthermore, the worm displays its autonomy through the propagation of its capabilities. By utilizing stolen npm tokens, it effectively surveys and enumerates maintainer packages, injecting malicious payloads and republishing these compromised packages with forged Sigstore provenance—making them appear legitimate. Targeting similar routines in RubyGems and GitHub repositories, the attack exemplifies a cross-ecosystem infection model.
Network telemetry from this incident has revealed unusual outbound connections during installation processes, including unexpected downloads from GitHub alongside API calls intended for data exfiltration. Such behaviors diverge significantly from standard npm installation patterns, providing crucial detection opportunities for security measures.
The scale, rapidity, and sophistication inherent in this recent attack illustrate a concerning trend toward highly automated, multi-platform supply chain attacks. Developers and organizations that utilize npm packages are strongly urged to conduct thorough audits of their dependencies, monitor build-time behavior, and employ runtime protections capable of detecting non-traditional execution vectors, such as those arising from binding.gyp exploitation.