binding.gyp Supply Chain Attack Compromises Dozens of npm Packages Across Maintainer Accounts

**Executive summary:** StepSecurity and CSN describe a rapid, high‑sophistication npm supply‑chain campaign named “Phantom Gyp” that used a 157‑byte binding.gyp install hook to execute a self‑replicating Miasma worm during npm install, compromising 57 packages across 286 malicious versions (including widely downloaded SDKs); the malware harvests CI and cloud credentials, propagates by injecting and republishing packages with forged SLSA/Sigstore provenance, and plants AI assistant backdoors — the report includes extensive IoCs and mitigation recommendations.