RSS

Miasma NPM Supply Chain Attack: Self-Spreading Worm via Phantom Gyp

gaurang_tandon1 pts0 comments

Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp - StepSecurity

Customers

Pricing

Resources

Company

Request a Demo<br>Login

Customers

Pricing

Resources

Company

Start Free

Login

Back to Blog

Threat Intel

Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp

self-replicating worm is spreading across the npm registry using binding.gyp, a file that triggers code execution during npm install without touching package.json scripts. The attack bypasses conventional security tools and has already compromised dozens of packages across multiple maintainer accounts.

Sai Likhith<br>View LinkedIn

June 3, 2026

Share on X<br>Share on X<br>Share on LinkedIn<br>Share on Facebook<br>Follow our RSS feed

Table of Contents

Loading nav...

An attacker compromised 57 npm packages across 286+ malicious versions in a rolling campaign lasting under two hours. The largest victim is @vapi-ai/server-sdk, the official Vapi.ai voice AI server SDK with 408,000+ monthly downloads, hit first at 23:30 UTC on June 3. One hour later, the attacker published malicious versions of 50+ packages belonging to the maintainer jagreehal, including ai-sdk-ollama (120,000+ monthly downloads), along with dozens of packages across the autotel, awaitly, executable-stories, node-env-resolver, and wrangler-deploy families.<br>The payload is a new variant of the Miasma worm, a self-spreading supply chain malware family that previously compromised 32 packages under the @redhat-cloud-services npm namespace on June 1, 2026 (our earlier analysis), and 4 versions of @vapi-ai/server-sdk on June 3, 2026. This wave uses a technique we are calling "Phantom Gyp": instead of the preinstall or postinstall lifecycle scripts that security tools typically monitor, the attacker abuses a 157-byte binding.gyp file to trigger code execution during npm install, bypassing most install-script security checks entirely.<br>In our analysis, we traced the exfiltration path to the GitHub account liuende501 , which hosts 236 repositories used as credential dead-drops. The malware creates a new repo on the fly (e.g., nemean-hydra-34343), then uploads stolen credentials as encrypted JSON files to a results/ directory. The repo descriptions confirm the malware's identity: 34 are labeled "Miasma - The Spreading Blight" and 195 carry the reversed string "niagA oG eW ereH :duluH-iahS" -- which reads "Shai-Hulud: Here We Go Again", a direct taunt referencing our previous blog post on the RedHat Cloud Services compromise two days earlier.

We have responsibly disclosed this incident to all affected maintainers: ai-sdk-ollama #975, autotel #197, awaitly #358, executable-stories #219, node-env-resolver #50, workflow #95, effect-analyzer #128, mountly #87, wrangler-deploy #130, and evolv-coder-lite #60.<br>Affected packages<br>The following table lists all packages and versions identified as compromised so far.

Package<br>Malicious Versions

@evolvconsulting/evolv-coder-lite1.2.0<br>@jagreehal/workflow1.16.1<br>@vapi-ai/server-sdk0.11.1, 0.11.2, 1.2.1, 1.2.2<br>ai-sdk-ollama0.13.1, 1.1.1, 2.2.1, 3.8.5<br>autotel2.26.4, 3.4.3<br>autotel-adapters0.3.5<br>autotel-audit0.1.15<br>autotel-aws0.13.10<br>autotel-backends2.12.26<br>autotel-cli0.8.14<br>autotel-cloudflare2.18.16<br>autotel-devtools0.1.1, 1.0.4, 2.1.1, 3.0.2, 4.0.1, 5.1.1, 6.1.2<br>autotel-drizzle0.0.27<br>autotel-edge3.16.13<br>autotel-eventcatalog1.0.1, 2.0.1, 3.0.1, 4.0.2, 5.0.1<br>autotel-hono0.4.26<br>autotel-mcp0.1.14, 2.0.1, 3.0.1, 4.0.1, 5.0.1, 6.0.1, 7.0.1, 8.0.1, 9.0.1, 10.0.1, 11.0.1, 13.0.1, 14.0.1, 15.0.2, 16.0.1, 17.0.2, 18.0.1, 19.0.1, 20.0.1, 21.1.1, 22.0.1, 23.0.1, 24.0.1, 25.0.1, 26.0.2, 27.0.1, 28.0.3<br>autotel-mcp-instrumentation29.0.2, 30.0.5, 31.0.1, 32.0.1, 33.0.2, 34.0.1<br>autotel-mongoose0.0.3, 1.0.2, 2.0.5, 3.0.1, 4.0.1, 5.0.2, 6.0.1<br>autotel-pact0.2.2, 1.0.3<br>autotel-playwright0.4.32<br>autotel-plugins0.19.26<br>autotel-sentry0.5.13<br>autotel-subscribers4.1.1, 5.0.1, 6.0.1, 7.0.1, 8.0.1, 9.0.1, 10.0.1, 11.0.1, 12.0.1, 13.0.1, 14.1.1, 15.0.1, 16.0.2, 17.0.1, 18.0.3, 19.0.1, 20.0.1, 21.0.1, 22.0.2, 23.0.2, 24.0.1, 25.0.1, 26.0.1, 27.0.2, 28.0.2, 29.0.6, 30.0.4, 31.1.4<br>autotel-tanstack1.13.27<br>autotel-terminal2.1.1, 3.0.1, 4.0.2, 5.0.1, 6.0.3, 7.0.1, 8.0.1, 9.0.1, 10.0.2, 11.0.1, 12.0.1, 13.0.1, 14.0.1, 15.0.2, 16.0.2, 17.0.10, 18.0.4, 19.0.8, 20.0.2, 21.0.1, 22.0.2, 23.0.3<br>autotel-vitest0.4.26<br>autotel-web1.12.2<br>awaitly1.33.3<br>awaitly-analyze0.24.2, 1.1.1, 2.0.1, 3.0.1, 4.0.1, 5.0.1, 6.0.1, 7.0.1, 8.0.1<br>awaitly-libsql0.1.1, 1.0.1, 2.0.1, 3.0.1, 4.0.1, 5.0.1, 6.0.1, 7.0.1, 8.0.1, 9.0.1, 10.0.1, 11.0.1, 12.0.1, 13.0.1, 14.0.1, 15.0.1, 16.0.1, 17.0.1, 18.1.1, 19.0.1, 20.0.1, 21.0.1, 22.0.1<br>awaitly-mongo0.1.1, 1.0.1, 2.0.1, 3.0.1, 4.0.1, 5.0.1, 6.0.1, 7.0.1, 8.0.1, 9.1.1, 10.0.1, 11.0.1, 12.0.1, 13.0.1, 14.0.1, 15.0.1, 16.0.1, 17.0.1, 18.0.1, 19.1.1, 20.0.1, 21.0.1, 22.0.1, 23.0.1<br>awaitly-postgres0.1.1, 1.0.1, 2.0.1, 3.0.2, 4.0.1, 5.0.1, 6.0.1, 7.0.1, 8.0.1, 9.0.1, 10.0.1, 11.0.1, 12.0.1, 13.0.1, 14.0.1, 15.0.1, 16.0.1, 17.0.1, 18.0.1, 19.1.1, 20.0.1, 21.0.1,...

autotel packages spreading awaitly miasma self

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.