BotBeat
...
← Back

> ▌

OllamaOllama
RESEARCHOllama2026-06-04

Critical NPM Supply Chain Attack Spreads as Self-Propagating Worm Through Binding.gyp Exploits

Key Takeaways

  • ▸Malicious binding.gyp file executes arbitrary code during npm install/update via node-gyp's source expansion step
  • ▸Attack harvests CI/CD credentials and self-injects into GitHub Actions workflows to propagate across connected repositories
  • ▸Affects AI SDK packages and other open-source projects, spreading horizontally through the development ecosystem
Source:
Hacker Newshttps://github.com/jagreehal/ai-sdk-ollama/issues/975↗

Summary

A dangerous supply chain attack targeting NPM packages uses a malicious binding.gyp file to spread like a worm, harvesting CI/CD credentials and injecting itself into GitHub Actions workflows. The attack, discovered by StepSecurity's threat intelligence team, affects packages including AI SDKs like ai-sdk-ollama and spreads through a multi-stage payload: when developers run npm install or npm update, node-gyp's build process executes a malicious index.js that downloads the Bun runtime and exfiltrates secrets from the runner environment.

The worm's self-propagating mechanism is particularly dangerous—by injecting itself into GitHub Actions workflow files, it spreads to connected repositories and CI/CD pipelines, enabling horizontal movement across the development ecosystem. The attack represents a critical vulnerability in the npm supply chain, affecting not just Ollama SDK users but potentially any developer using compromised packages.

Security teams are investigating the full scope of affected packages and have published detailed kill chains, indicators of compromise (IOCs), and recovery procedures. Organizations should immediately audit their GitHub Actions logs for unauthorized modifications, rotate exposed credentials, and verify the integrity of their dependencies.

  • StepSecurity provides complete analysis, IOCs, kill chain documentation, and recovery steps for affected maintainers and users

Editorial Opinion

This attack exposes a critical blind spot in open-source supply chain security—the implicit trust in build tools and dependencies. The self-propagating worm mechanism is particularly alarming, as it can spread from a single compromised package to dozens of downstream projects. Organizations urgently need stronger controls over build process execution and GitHub Actions workflows, along with better visibility into which dependencies execute code during installation.

MLOps & InfrastructureCybersecurityPrivacy & DataOpen Source

More from Ollama

OllamaOllama
FUNDING & BUSINESS

Ollama Raises $88M to Democratize Open AI Models

2026-07-19
OllamaOllama
FUNDING & BUSINESS

Ollama Raises $65M Series B to Expand AI Model Accessibility, Reaches 8.9M Monthly Users

2026-07-09
OllamaOllama
RESEARCH

Critical Unpatched Vulnerabilities in Ollama Desktop App Enable Phishing and Data Exfiltration

2026-06-05

Comments

Suggested

AnthropicAnthropic
RESEARCH

Anthropic Demonstrates Feasibility of AI-Powered Code Migrations at Scale: Million-Line Ports Now Possible in Weeks

2026-07-19
Wolfram ResearchWolfram Research
RESEARCH

Wolfram Launches LLM Benchmark for Code Generation Tasks

2026-07-19
OllamaOllama
FUNDING & BUSINESS

Ollama Raises $88M to Democratize Open AI Models

2026-07-19
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us