Miasma Worm's 'Phantom Gyp' Attack Hits 57 npm Packages Including Vapi AI SDK
Key Takeaways
- ▸Phantom Gyp bypasses npm security monitoring by abusing binding.gyp files to execute code during installation, evading detection of preinstall/postinstall script surveillance
- ▸Vapi.ai's official SDK with 408,000+ monthly downloads was the first and largest victim, followed by 50+ additional compromised packages from various maintainers in a coordinated attack
- ▸The Miasma worm self-propagates and exfiltrates credentials to attacker-controlled GitHub repositories; the attacker explicitly taunted previous incident response efforts
Summary
A sophisticated supply chain attack leveraging a novel exploitation technique called 'Phantom Gyp' compromised 57 npm packages across 286+ malicious versions in a rapid rolling campaign lasting under two hours on June 3, 2026. The attack specifically targeted Vapi.ai's official server SDK (@vapi-ai/server-sdk), which boasts over 408,000 monthly downloads, making it the largest victim in this wave of malicious releases.
The Miasma worm is a self-propagating supply chain malware variant that bypasses traditional security monitoring by abusing a 157-byte binding.gyp file to trigger code execution during npm install. Rather than relying on the preinstall or postinstall lifecycle scripts that most security tools monitor, the Phantom Gyp technique exploits npm's build system to execute arbitrary code undetected, representing a significant evasion advancement over previous Miasma variants.
Beyond Vapi.ai's SDK, the attack also compromised over 50 packages maintained by jagreehal (including ai-sdk-ollama with 120,000+ monthly downloads), along with multiple package families including autotel, awaitly, executable-stories, node-env-resolver, and wrangler-deploy. The attacker left a taunting message referencing a previous RedHat Cloud Services compromise from just two days earlier, suggesting a deliberately escalating campaign.
Security researchers traced the credential exfiltration infrastructure to a GitHub account hosting 236 repositories used as dead-drops, where stolen API keys and secrets were uploaded as encrypted JSON files. The incident highlights critical vulnerabilities in npm package supply chain security and the inadequacy of current monitoring tools that focus exclusively on lifecycle scripts while ignoring build system configuration vectors.
- The attack spread across 57 packages and 286+ versions in under two hours, demonstrating the rapid scale of modern supply chain attacks
- Current npm security tooling has a critical blind spot: build system configuration files remain largely unmonitored, enabling code execution that bypasses traditional detection mechanisms
Editorial Opinion
This attack exposes a dangerous gap between security tooling and attacker innovation. Even after the RedHat Cloud Services incident just two days prior, the same threat actors evolved their techniques and struck major AI infrastructure providers before defenses could adapt. The Phantom Gyp technique is particularly troubling because it fundamentally challenges the assumption that monitoring lifecycle scripts provides adequate npm security—the industry now needs broader oversight of build configurations and runtime execution monitoring in CI/CD pipelines to meaningfully reduce supply chain risk.
