A sophisticated supply chain attack has compromised dozens of npm packages, including some with hundreds of thousands of monthly downloads, by exploiting a previously unknown vulnerability in the binding.gyp file. The Miasma malware, which has been linked to previous attacks on Red Hat's npm namespace, uses a technique called "Phantom Gyp" to bypass conventional security tools and execute malicious code during package installation.
What Happened
The attack began on June 3, when an attacker compromised the @vapi-ai/server-sdk package, which has over 408,000 monthly downloads. Within an hour, the attacker published malicious versions of 50+ packages belonging to the maintainer jagreehal, including ai-sdk-ollama (120,000+ monthly downloads), along with dozens of packages across the autotel, awaitly, executable-stories, node-env-resolver, and wrangler-deploy families. The malware creates a new repository on GitHub, uploads stolen credentials as encrypted JSON files, and labels the repositories with taunts referencing previous attacks.
The compromised packages are build-time dependencies for various applications, including frontend components and API clients for the Red Hat Hybrid Cloud Console. Several of these packages pull meaningful traffic on their own, making them a significant concern for developers who rely on them. The attack has been linked to a GitHub account that hosts 236 repositories used as credential dead-drops.
Background and Context
The Miasma malware is a self-spreading supply chain malware family that was first identified in June 2026, when it compromised 32 packages under the @redhat-cloud-services npm namespace. The attack used a preinstall script to run an obfuscated payload during package installation, harvesting developer and cloud credentials and attempting to spread itself to other packages. The malware's payload is derived from the (Mini) Shai-Hulud worm open-sourced by TeamPCP earlier this year.
The latest variant of Miasma uses a technique called "Phantom Gyp" to bypass conventional security tools and execute malicious code during package installation. This approach makes detection and version tracking significantly more difficult, as the malware generates a uniquely encrypted payload for each infection. The attack has been linked to a compromised Red Hat employee GitHub account that pushed malicious orphan commits requesting an npm-publishing OIDC token and published packages with valid SLSA provenance.
Why it Matters
The Miasma attack highlights the importance of secure access and elimination of lateral movement in software development. The use of binding.gyp to execute malicious code during package installation is a previously unknown vulnerability that has been exploited by attackers. This type of attack can have significant consequences for developers who rely on compromised packages, as it can lead to unauthorized access to sensitive data and systems.
The attack also underscores the need for robust security measures in software development, including regular updates and patches, secure coding practices, and thorough testing. Developers should be aware of the risks associated with using compromised packages and take steps to mitigate them, such as pinning away from affected versions, reinstalling with scripts disabled, and rotating every credential that was reachable from an affected workstation or CI runner.
What Comes Next
The investigation into the Miasma attack is ongoing, and it is unclear what other packages may have been compromised. Developers should be vigilant in monitoring their dependencies and take steps to protect themselves against similar attacks. The use of binding.gyp to execute malicious code during package installation highlights the need for robust security measures in software development and underscores the importance of secure access and elimination of lateral movement.
Key Facts
- The Miasma malware has compromised dozens of npm packages, including some with hundreds of thousands of monthly downloads.
- The attack uses a technique called "Phantom Gyp" to bypass conventional security tools and execute malicious code during package installation.
- The malware creates a new repository on GitHub, uploads stolen credentials as encrypted JSON files, and labels the repositories with taunts referencing previous attacks.
- The compromised packages are build-time dependencies for various applications, including frontend components and API clients for the Red Hat Hybrid Cloud Console.
- The attack has been linked to a compromised Red Hat employee GitHub account that pushed malicious orphan commits requesting an npm-publishing OIDC token and published packages with valid SLSA provenance.