The “Miasma” Worm and the Rise of “Phantom Gyp” Supply Chain Attacks
On June 3, 2026, the developer ecosystem faced a highly coordinated and rapid-fire supply chain assault. In a window of less than two hours, a sophisticated campaign compromised at least 57 npm packages, injecting over 286 malicious versions into the registry. This wasn’t a slow drip of compromised dependencies; it was a synchronized strike designed for maximum velocity and breadth.
The breach sequence initiated at approximately 23:30 UTC, targeting @vapi-ai/server-sdk—a critical piece of infrastructure for voice AI developers with a monthly download volume exceeding 408,000. From this beachhead, the attack expanded exponentially, sweeping up dozens of packages maintained by jagreehal and various related dependency trees. Within sixty minutes, high-impact tooling like ai-sdk-ollama (120,000+ monthly downloads) was also compromised, alongside ecosystems such as autotel, awaitly, executable-stories, node-env-resolver, and wrangler-deploy.
Security researchers have identified this campaign as a new evolution of the Miasma worm, a self-propagating malware family recently seen targeting Red Hat-associated npm packages. This variant introduces a particularly devious execution vector termed “Phantom Gyp”, which specifically circumvents standard security monitoring by moving away from common preinstall or postinstall lifecycle scripts.
Technical Breakdown: Exploiting the Build Configuration
The “Phantom Gyp” technique is elegant in its simplicity. Instead of triggering alarms through standard script execution, the attackers embed a minimal, 157-byte binding.gyp file within the malicious package. When a developer or a CI/CD pipeline runs npm install, the npm client detects this configuration file and automatically invokes node-gyp rebuild to compile native modules.
By weaponizing the command substitution capabilities within gyp, the attackers achieve arbitrary code execution (ACE) during the build process. Because this happens during the compilation phase rather than the script execution phase, many conventional runtime security tools fail to flag the activity.
Once the initial execution is achieved, the malware triggers a multi-stage payload chain:
- Obfuscation & Decryption: The payload utilizes heavy ROT-based encoding and
eval()calls to mask its intent, followed by AES-128-GCM decryption of the primary payload. - Environment Shifting: In a clever move to evade Node.js-based detection, the malware rapidly downloads and deploys the Bun runtime. This allows the final stage of the attack to run in a completely different execution environment than the one being monitored.
The Kill Chain: Credential Harvesting and Persistence
The runtime behavior of the Miasma worm reveals a highly structured and aggressive kill chain. After installation, the malware performs privilege escalation via sudo python3 and immediately moves to harvest secrets. A particularly alarming capability is its ability to target GitHub Actions runners; by reading the Runner.Worker process memory, it can extract secrets that are otherwise masked in standard logs, recovering them in plaintext.
The scope of credential harvesting is vast, targeting:
- Cloud Providers (AWS, Google Cloud, Azure)
- Secret Management Tools (HashiCorp Vault)
- Developer Tokens (GitHub)
- Local Credential Stores (1Password, gopass)
Exfiltrated data is sent to an attacker-controlled infrastructure via the GitHub API. The data is “dead-dropped” into over 200 repositories managed by the account liuende501.
Beyond simple theft, the worm aims for long-term persistence by poisoning the developer’s IDE. It injects configuration backdoors into Claude Code, Cursor, Gemini, and VS Code. By modifying the package.json to point to a non-standard entry point, the malware remains dormant until the developer opens the affected project, at which point it can influence AI-generated code and compromise the local development environment.
Finally, the worm demonstrates true autonomous propagation. Using stolen npm tokens, it crawls the registry to find maintainer-owned packages, injects itself, and republishes them—complete with forged Sigstore provenance to make the malicious updates appear legitimate. This cross-ecosystem model also extends to RubyGems and GitHub repositories.
Indicators of Compromise (IoCs)
File Hashes (SHA-256)
General Malicious Artifacts:
- Package tarball (.tgz):
288f26c2eadcb1a7923fe376d16f5404216cce15d9fc162a4a78574dc7df399a - binding.gyp (157 bytes):
ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90 - Obfuscated root index.js (4.5 MB):
5926b86b642e00672252953eb30d8f75cfb7797fe3118bd6fa2cfbee92905d61 - Decrypted Bun loader (907 bytes):
ceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108 - Decrypted main payload (668 KB):
da39146ef451d1b174a24d00b1e2a45cd38d54e849737f8f35333dcb22175707
Specific to @vapi-ai/server-sdk:
- index.js (v1.2.1):
e3dbe63aded45278f49c4746ab938ed9472b36def79b43e2dd2d7eff014481d1 - index.js (v0.11.2):
82d83274680df928fdda296a348e01802f595e412308c399565c320df444052a
C2 and Network Indicators
- Exfiltration Account:
github.com/liuende501 - Exfiltration Pattern:
repos/liuende501/{repo}/contents/results/results-{timestamp}.json - C2 Beacon Keyword:
thebeautifulmarchoftime - Token Validation String:
IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner - Suspicious Download:
github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-*.zip
This campaign highlights a paradigm shift toward automated, multi-platform exploitation. Organizations must move beyond simple dependency auditing and implement build-time monitoring capable of detecting anomalous behaviors in native build configurations.