The campaign began at about 23:30 UTC with the compromise of @vapi-ai/server-sdk, the official server-side software development kit for Vapi. ai’s voice AI platform. The package has more than 408,000 monthly downloads, making it the most visible target in the wave. About an hour later, malicious versions appeared across more than 50 packages linked to the maintainer account jagreehal, including ai-sdk-ollama, which draws more than 120,000 monthly downloads, and package families such as autotel, awaitly, executable-stories, node-env-resolver and wrangler-deploy.
The attack stands out because it used a binding. gyp file to trigger execution during npm install, rather than relying on the preinstall or postinstall scripts that many security tools already monitor. The technique allows malicious code to run through npm’s native add-on build process while leaving package. json lifecycle scripts apparently clean. That made the campaign harder to detect through conventional checks focused on obvious script entries or visible changes to application code.
Researchers tracking the incident have described the method as “Phantom Gyp”, reflecting the way a small build configuration file can silently invoke execution. One analysed package contained a binding. gyp file of only 157 bytes, yet it was enough to initiate the malicious chain. The legitimate package code in the distribution folder was not necessarily altered, reducing visible signs of tampering for developers reviewing the package contents manually.
The payload is assessed as a variant of Miasma, a self-spreading malware family linked to the broader Shai-Hulud-style wave of npm attacks that has escalated through 2026. Its purpose is not merely to infect a single project. Once installed in a developer workstation or a continuous integration environment, it seeks credentials that can be used to publish further compromised packages, turning trusted maintainer access into a propagation channel.
The malware targets GitHub tokens, npm tokens, SSH keys, cloud credentials and secrets from development environments. It also seeks access to AWS, Google Cloud, Microsoft Azure, Kubernetes service-account tokens, HashiCorp Vault material and CI/CD platforms. The danger for companies lies less in the infected package alone than in the access it may gain to build systems, deployment pipelines and private repositories.
Exfiltration appears to have used GitHub as part of the infrastructure. Stolen material was uploaded as encrypted JSON files into attacker-controlled repositories, with hundreds of repositories reportedly acting as credential dead-drops. Some repository descriptions carried “Miasma – The Spreading Blight”, while others used a reversed Shai-Hulud phrase that functioned as both a marker and a taunt.
The June 3 wave followed a separate June 1 compromise affecting packages under the @redhat-cloud-services npm namespace, where malicious versions were pushed through a compromised account and carried a related credential-harvesting payload. That earlier incident showed how a trusted organisational namespace can become a distribution vehicle when developer or automation credentials are abused.
The broader pattern has become a central concern for software supply chain defenders. npm has long been a high-value target because JavaScript projects routinely pull in direct and transitive dependencies at scale. A single compromised maintainer account can expose not only direct users of a package but also downstream projects that inherit it through dependency trees.
The attack also highlights a limitation in policies that focus only on lifecycle scripts. Many organisations have hardened pipelines against packages that declare install-time commands, but binding. gyp abuse shifts attention to native build tooling and node-gyp behaviour. Projects that do not require native add-ons may now face pressure to block or inspect such build files more aggressively.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
