Malicious binding.gyp Campaign Targets npm Packages Across Maintainer Accounts

On June 3, 2026, a coordinated npm supply-chain attack compromised 57 packages by embedding a tiny binding.gyp that triggered node-gyp to execute a 4.5 MB Miasma worm payload; the worm downloads the Bun runtime to evade detection, harvests AWS/GCP/Azure credentials and GitHub Actions secrets, installs backdoors targeting AI coding assistants, and exfiltrates stolen data to GitHub repositories, with multiple file hashes and IoCs provided.