Binding.gyp Supply Chain Attack Enables CI/CD Worm Propagation Across npm Packages (Campaign)
ID: da1e8749-64a9-5917-aba8-54e16ec9ba21
STIX ID: report--da1e8749-64a9-5917-aba8-54e16ec9ba21
Feed Name: Wiz Cloud Threat Landscape
Date Published: 2026-06-04
Date Updated: 2026-07-02
Author: [email protected] (Wiz Threat Research)
Researchers identified an active supply-chain campaign targeting multiple npm packages in which attackers compromised maintainer accounts and published malicious versions containing a crafted binding.gyp file. During installation, node-gyp executes attacker-controlled commands via shell expansion in the binding.gyp sources array, launching an obfuscated JavaScript payload and bypassing typical preinstall/postinstall checks and package review processes, enabling CI/CD-style worm propagation across packages.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
