Miasma npm Worm Hits 57 Packages via binding.gyp

AI relevance: The Miasma worm specifically targeted AI-coding-adjacent packages including ai-sdk-ollama (120K monthly downloads) and autotel-mcp, using compromised maintainer accounts to spread through developer and agent tooling supply chains.

What happened

• On June 3–4, 2026, attackers published 286 malicious versions across 57 npm packages in a self-replicating supply-chain campaign dubbed "Miasma" by Endor Labs and StepSecurity.
• The worm uses a novel install-time execution technique via binding.gyp files — npm runs node-gyp rebuild automatically when a package ships a binding.gyp, with no lifecycle script declared, bypassing standard "no postinstall" security checks.
• The trigger file abuses gyp command substitution to run node index.js during install, executing before any application code imports the package.
• The payload uses layered obfuscation: a 4.5MB root index.js with eval(ROT-n(...)) decode-then-execute wrapper that unpacks a self-decrypting AES-128-GCM stage. ROT keys rotated between versions (shift 15 vs shift 18) published in the same minute.
• The final stage downloads a standalone Bun runtime to execute outside Node, then harvests AWS, GCP, Azure, Vault, and Kubernetes credentials, GitHub Actions OIDC tokens, and npm, GitHub, and RubyGems registry tokens.
• The malware republishes packages owned by the compromised maintainer using forged provenance metadata, enabling self-propagation across trusted package ecosystems.
• Targeted packages included ai-sdk-ollama (Ollama-to-Vercel AI SDK bridge, 120K+ monthly downloads), @vapi-ai/server-sdk (408K+ monthly downloads), and the entire autotel ecosystem of agent tooling packages.
• This campaign follows an earlier Miasma wave targeting @redhat-cloud-services packages on June 1, 2026, confirming the same attacker infrastructure and worm mechanics.
• SafeDep confirmed the worm also targets AI coding agent configuration files, injecting malicious settings to expand its reach.

Why it matters

binding.gyp has become an install-time execution surface that most AppSec teams do not monitor. The Miasma worm proves that an npm package can execute malicious code even when package.json shows no lifecycle scripts. For AI agent deployments that auto-install packages or rely on npm ecosystems for tooling, this is a direct supply-chain risk: the worm steals exactly the credentials (cloud, registry, OIDC) that agent systems depend on.

What to do

• Audit all npm dependencies for binding.gyp files — treat them as equivalent to postinstall scripts.
• Pin dependencies with lockfiles and verify package integrity hashes before deploying to production.
• Rotate all cloud and registry credentials if any affected package was installed in your CI/CD or agent environments.
• Monitor npm for new versions of packages in the autotel, awaitly, executable-stories, and node-env-resolver namespaces.

Sources

• Endor Labs — ai-sdk-ollama analysis
• Corgea — Phantom Gyp coverage
• The Hacker News — IronWorm and Miasma variant
• SafeDep — AI coding agent config injection
• Chainguard — 57 packages, 286 versions